Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
T1010: Application Window Discovery
T1087: Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Detecting Sysmon on the Victim Host

Exploring ways to detect Sysmon presence on the victim system

Processes

[email protected]
PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Note: process name can be changed during installation

Services

[email protected]
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
# or
Get-Service | where-object {$_.DisplayName -like "*sysm*"}

Note: display names and descriptions can be changed

Windows Events

[email protected]
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

Filters

[email protected]
PS C:\> fltMC.exe

Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

Sysmon Tools + Accepted Eula

[email protected]
ls HKCU:\Software\Sysinternals

Sysmon -c

Once symon executable is found, the config file can be checked like so:

sysmon -c

Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:

[email protected]
findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:

[email protected]
PS C:\tools> (Get-SysmonConfiguration).Rules

As an example, looking a bit deeper into the ProcessCreate rules:

[email protected]
(Get-SysmonConfiguration).Rules[0].Rules

We can see the rules almost as they were presented in the sysmon configuration XML file:

A snippet from the actual sysmonconfig-export.xml file:

Bypassing Sysmon

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.

Another way to bypass the sysmon altogether is explored here:

References

​

Previous
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Next - offensive security
Privilege Escalation
Last updated 2 years ago
Contents
Processes
Services
Windows Events
Filters
Sysmon Tools + Accepted Eula
Sysmon -c
Config File on the Disk
Get-SysmonConfiguration
Bypassing Sysmon
References