Help! Analyzing Evil With Sysmon & Event Logs Trouble

Hi all, I’ve stuck in this module’s lab for a long time.
Question2:
Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. “C:\Tools\Sysmon” and “C:\Tools\PSInject” on the spawned target contain everything you need.

As the bellow picture, I have followed all the commands, but the spoolsv.exe didn’t change “managed”.
Is there something I missed?

I’m appreciate for your help.

Hey Yvonneyeyeye, not sure if you figured this one out, I ran into the same thing, ended up closing the Process Hacker window, re-running the commands in CMD Prompt, and it changed after I tried that

when I did this lab, closing the process hacker and running it again did the thing…
but the issue i’m getting is that there is no log entry in Sysmon in event viewer

if someone knows any solutions?

I run on powershell , then type clrjit.dll on Find Sysmon, then i find spoolsv.exe related to this clrjit.ll

Yvonneyeyeye check the process id you used. It is not the right one

Make sure to change the sysmonconfig file like you had to in the previous question

Hi Everyone , in the nesxt Q3) Replicate the Credential Dumping attack described in this section and provide the NTLM hash of the Administrator user as your answer. “C:\Tools\Sysmon” and “C:\Tools\Mimikatz” on the spawned target contain everything you need.
I try do Mimikatz the file minikatz.exe does not exist, there is AgentEXE.exe and i run this file do the same coomand line and passwd it work but when i go to event view there is no event Id 10, try find by the name of AgentEXE.exe not found any id 10.
i did the sysmon step also to double check. but also the same thing no found any event id 10.
how can i find it

Finally i solve it :grinning: