With our test environment up and running, you will start to see events rolling in. To do this, I generally use sysmon-config, and install Sysmon with: sysmon.exe -accepteula -i rules.xml In this short post I will document one such way which appears to work with Sysmon 10.1.īut before we start to look to evade Sysmon, we need to first deploy it within a lab environment. In the event I came across this deployed during an engagement, I wanted to spend a bit of time understanding just how to work evade detection. While this gives an excellent datapoint for defenders (shout out to the SysInternals team for continuing to provide and support these awesome tools for free), for us as attackers, this means that should our implant or payloads attempt to communicate via DNS, BlueTeam have a potential way to pick up on indicators which could lead to detection.Īn obvious place where this may affect a campaign is C2 over DNS, where numerous requests will be logged, potentially giving the game away. In a recent update to Sysmon, a new feature was introduced allowing the ability to log DNS events. « Back to home Evading Sysmon DNS Monitoring
0 kommentar(er)
