Analyzing Evil With Sysmon & Event Logs Trouble

How did u do DLL hijack ? im stuck with that step

To anyone struggling with this, I understand there isn’t much guidance. I have finally figured this out, at least for the first question. to do a DLLinjection, you need to go into command prompt and type this command to rename the reflective_dll.x64.dll to WININET.dll

ren reflective_dll.x64.dll WININET.dll

Then move that to the Desktop by first navigating to the directory it is in

cd /Tools/Reflective DLLInjection/WININET.dll /Users/Administrator/Desktop

As far as moving calc.exe to the desktop from the command prompt, It keeps saying access denied for me. So instead, copy the file from file explorer located in the Local Disk drive(C:) from windows and system32, and paste it onto the desktop. This will give the “Hello from DLL Main!” when clicking on the calc application on the desktop.

After this, go into the event viewer and follow those directions to get you to the sysmon event ids, click on filter log, and change the ALL EVENT IDS to 7, click ok. When you go to click on find, you will get the right log with the correct SHA 256 hash typing in WININET.dll, not calc.exe.

For anyone outhere still struggling these are the steps I took:

  1. Open folder Tools and locate the sysmonconfig-export.xml. Used Find to locate the correct line >>ImageLoad. Then replaced include with exclude. Save
  2. In CMD go to C:\Tools\sysmon with cd and run ```
    sysmon.exe -c sysmonconfig-export.xml
  3. Open Event Viewer and navigate to “Applications and Services” → “Microsoft” → “Windows” → “Sysmon” to verify the Event ID 7 appears
  4. In C:\Tools\Reflective DLLInjection rename reflective_dll.x64.dll to WININET.dll and drag and drop to Desktop
  5. In C:\Windows\System32 locate calc.exe right click Copy/Paste to Desktop.
  6. Execute calc.exe and should receive the MessageBox
  7. Go back to event viewer and filter through Filter Current Log by Event ID 7 in Event IDs field
  8. Use Find to locate the calc.exe events. Mine was the first one that it found.

Note: if you make a mistake you might have to restart the instance to start again another clean instance

Good luck