Analyzing Evil With Sysmon & Event Logs

Hi all,

I am stuck on Analyzing Evil With Sysmon & Event Logs.
I’ve managed to replicate the DLL hijacking exploit but I am stuck on the
Detecting Unmanaged PowerShell/C-Sharp Injection section

I’ve managed to get so far as to change spoolsv.exe to managed but I am not seeing event 7 in sysmon

am I missing something?

any help will be appreciated.

1 Like

Hello, if you don’t see any event 7 in Sysmon you would have to confiugre the sysmonconfig-export.xml file to detecte it. If you have done that and are seeing event 7 for other monitors you could search for spoolsv.exe in the find section of Event Viewer and filter through all the spoolsv.exe event 7 until you see what you are looking for. Hope this helps.

Pikes101, I’m super stuck on starting the first exercise where you have to replicate the DLL hijacking. I’m having a hard time configuring the Sysmon file. are you supposed to download Sysmon from that link on to the RDP server? I don’t even have internet connection on the RDP and I’m wondering if that is my first problem or if I am just doing something wrong.

1 Like

@ZynnamaN, the sysmon file you are supposed to edit is located in c:\tools\sysmon
open the file in notepad and search for Event Log 7.
change it from include to exclude.
save the file and run the file again via CMD.
you should now see event 7 in Event Viewer…
if you have any issue please PM me.

1 Like

got it! much appreciated!