# Detecting Sysmon on the Victim Host ## Processes {% code title="attacker\@victim" %} ```csharp PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" } ``` {% endcode %} ![](/files/-LOOgheZa0IieeWu1os4) {% hint style="warning" %} Note: process name can be changed during installation {% endhint %} ## Services {% code title="attacker\@victim" %} ```csharp Get-CimInstance win32_service -Filter "Description = 'System Monitor service'" # or Get-Service | where-object {$_.DisplayName -like "*sysm*"} ``` {% endcode %} ![](/files/-LOOighsvbnGtFYmGnBi) {% hint style="warning" %} Note: display names and descriptions can be changed {% endhint %} ## Windows Events {% code title="attacker\@victim" %} ```csharp reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational ``` {% endcode %} ![](/files/-LOOjHPWGDSHkbU5Pwvj) ## Filters {% code title="attacker\@victim" %} ``` PS C:\> fltMC.exe ``` {% endcode %} Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - `385201` ![](/files/-LOOjlnxkHRyqT6nLFzU) ## Sysmon Tools + Accepted Eula {% code title="attacker\@victim" %} ``` ls HKCU:\Software\Sysinternals ``` {% endcode %} ![](/files/-LOOkcleCCvSzv-kmWDX) ## Sysmon -c Once symon executable is found, the config file can be checked like so: ``` sysmon -c ``` ![](/files/-LOOvPUPPG3UZl4cGM6z) ## Config File on the Disk If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr: {% code title="attcker\@victim" %} ```csharp findstr /si '' C:\tools\* ``` {% endcode %} ![](/files/-LOOyZ8B1S66xdWiTWar) ## Get-SysmonConfiguration A powershell tool by @mattifestation that extracts sysmon rules from the registry: {% code title="attacker\@victim" %} ```csharp PS C:\tools> (Get-SysmonConfiguration).Rules ``` {% endcode %} ![](/files/-LOOoAGwjhaEnNsXljLG) As an example, looking a bit deeper into the `ProcessCreate` rules: {% code title="attacker\@victim" %} ```csharp (Get-SysmonConfiguration).Rules[0].Rules ``` {% endcode %} We can see the rules almost as they were presented in the sysmon configuration XML file: ![](/files/-LOOoWdDkFIxPk31gLk9) A snippet from the actual sysmonconfig-export.xml file: ![](/files/-LOOot8jxGW0TSXz4g3b) ## Bypassing Sysmon Since [Get-SysmonConfiguration](/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md#get-sysmonconfiguration) gives you the ability to see the rules sysmon is monitoring on, you can play around those. Another way to bypass the sysmon altogether is explored here: {% content-ref url="/pages/-LMEMZmcmnRPz\_5XyjIi" %} [Unloading Sysmon Driver](/offensive-security/defense-evasion/unloading-sysmon-driver.md) {% endcontent-ref %} ## References {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.