Sysmon

September 21, 2023 0 Comments

Sysmon, short for System Monitor, is a Windows system service and device driver that plays a crucial role in cybersecurity by providing detailed information about activities on a Windows-based computer. It is designed to enhance the ability to detect and investigate malicious activities and advanced threats within a Windows environment.

This Sysmon lab is pretty similar to the AppLocker lab. I am going to create malware utilizing Metasploit. Then, I am going to execute that malware. But the point of executing this malware is to show how Sysmon can give me amazing logging info on that malware. 

First, l am going to disable Defender by running the following command from an Administrator PowerShell prompt:

Next, let’s start up the ADHD Linux system and set up our malware and C2 listener

First, I need the linux system IP adress:

Using this IP adress, i can now use a program called “msfvenom” to create metasploit viruses (here the malware is saved into a temp file called “TrustMe.exe”) , start a backdoor and backdoor listener. The goal of this lab is not to hack into computer though. I am creating a malware, manually moving it over and execute it. Next, I copied the TrustMe.exe file to the tools directory in my windows system.

Then I open a new unbuntu box and run metasploit. I use exploit/multi/handler so that I can handle and receive connections for multiple different operating systems. When I set the payload I tell Metasploit that the connection that’s coming in is going to be a meterpreter Reverse Tcp connection on this system. It’s going to allow that to catch that meterpreter session coming in to this computer system. I am going to set the L host to be that of my Linux IP address. I type exploit in and not a thing is going to happen. It’s sitting there and waiting for that connection to come through. That connection has not occurred yet.

Now before I start this malware, I need to start system. To do that, I need to open an admin command prompt. Then, I am going to cd into the tools directory on our system. Then I am going to start Sysmon.

I run the following commands to run the malware

Back at your Ubuntu prompt, I have a Meterpreter session

Now, I need to view the Sysmon events for this malware:

To do that I need to select Event Viewer > Applications and Services Logs > Windows > Sysmon > Operational

Starting at the top and working down through the logs, I can see my malware executing in the events logs .

TrustMe.exe executed. I have the file version and a bunch of information that I need to be able to really start an investigation at this point.

Leave a Reply

Your email address will not be published. Required fields are marked *