Skip to content

Latest commit

 

History

History
154 lines (105 loc) · 3.85 KB

detecting-sysmon-on-the-victim-host.md

File metadata and controls

154 lines (105 loc) · 3.85 KB
description
Exploring ways to detect Sysmon presence on the victim system

Detecting Sysmon on the Victim Host

Processes

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

PS C:\> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

{% endcode-tabs-item %} {% endcode-tabs %}

{% hint style="warning" %} Note: process name can be changed during installation {% endhint %}

Services

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
# or
Get-Service | where-object {$_.DisplayName -like "*sysm*"}

{% endcode-tabs-item %} {% endcode-tabs %}

{% hint style="warning" %} Note: display names and descriptions can be changed {% endhint %}

Windows Events

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

{% endcode-tabs-item %} {% endcode-tabs %}

Filters

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

PS C:\> fltMC.exe

{% endcode-tabs-item %} {% endcode-tabs %}

Note how even though you can change the sysmon service and driver names, the sysmon altitude is always the same - 385201

Sysmon Tools + Accepted Eula

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

ls HKCU:\Software\Sysinternals

{% endcode-tabs-item %} {% endcode-tabs %}

Sysmon -c

Once symon executable is found, the config file can be checked like so:

sysmon -c

Config File on the Disk

If you are lucky enough, you may be able to find the config file itself on the disk by using native windows utility findstr:

{% code-tabs %} {% code-tabs-item title="attcker@victim" %}

findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

{% endcode-tabs-item %} {% endcode-tabs %}

Get-SysmonConfiguration

A powershell tool by @mattifestation that extracts sysmon rules from the registry:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

PS C:\tools> (Get-SysmonConfiguration).Rules

{% endcode-tabs-item %} {% endcode-tabs %}

As an example, looking a bit deeper into the ProcessCreate rules:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

(Get-SysmonConfiguration).Rules[0].Rules

{% endcode-tabs-item %} {% endcode-tabs %}

We can see the rules almost as they were presented in the sysmon configuration XML file:

A snippet from the actual sysmonconfig-export.xml file:

Bypassing Sysmon

Since Get-SysmonConfiguration gives you the ability to see the rules sysmon is monitoring on, you can play around those.

Another way to bypass the sysmon altogether is explored here:

{% page-ref page="unloading-sysmon-driver.md" %}

References

{% embed url="https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon" %}

{% embed url="https://github.com/mattifestation/PSSysmonTools/blob/master/PSSysmonTools/Code/SysmonRuleParser.ps1" %}

{% embed url="https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes" %}

{% embed url="https://github.com/GhostPack/Seatbelt" %}