{ "id": "6a802445-ac67-41ad-855b-692813ccc0d5", "name": "Deploying Sysmon for Enhanced Threat Detection", "slug": "deploying-sysmon-for-enhanced-threat-detection", "status": "published", "lab_type": "pta", "is_sample": false, "duration_in_seconds": 1800, "metadata": { "courses": [ "1c059cf9-e0a3-4d5f-8aa9-cbfc8e5981ed" ], "pta_sdn": "1878", "collections": [], "pta_manual_id": "5939-2bcd-9e97-b6ef", "pta_namespace": "my.ine", "learning_paths": [], "has_published_parent": true }, "session": null, "company": "a491bc32-c056-4946-9169-cc053387bada", "created": "2025-06-30T00:11:04.459345Z", "modified": "2025-06-30T21:22:31.070254Z", "is_beta": false, "lab_objectives": [], "main_learning_area": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "learning_areas": [ { "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "name": "Cyber Security", "slug": "cyber-security" } ], "categories": [], "tags": [], "difficulty": "professional", "is_web_access": false, "is_lab_experience": false, "is_featured": false, "cve": null, "severity": null, "year": null, "classification": null, "is_trackable": false, "cpe_credits": null, "is_skill_check": false, "external_url": "", "solution_video": null, "explanation_video": null, "description": "## Deploying Sysmon for Enhanced Threat Detection\n\nWelcome to the Deploying Sysmon for Enhanced Threat Detection lab! \n\nThis lab is designed to introduce you to the practical setup and use of Sysmon for monitoring and detecting suspicious activity on Windows systems. \n\nYou will learn how to install Sysmon with a custom configuration, verify its functionality, and simulate real-world attack behavior using Atomic Red Team to see how Sysmon captures key forensic evidence.\n\nWhether you are a student, researcher, or enthusiast, this space is meant to provide a hands-on experience and foster learning in incident response and Windows threat detection.", "description_html": "

Deploying Sysmon for Enhanced Threat Detection

\n

Welcome to the Deploying Sysmon for Enhanced Threat Detection lab!

\n

This lab is designed to introduce you to the practical setup and use of Sysmon for monitoring and detecting suspicious activity on Windows systems.

\n

You will learn how to install Sysmon with a custom configuration, verify its functionality, and simulate real-world attack behavior using Atomic Red Team to see how Sysmon captures key forensic evidence.

\n

Whether you are a student, researcher, or enthusiast, this space is meant to provide a hands-on experience and foster learning in incident response and Windows threat detection.

", "tasks": "## Task 1: Locate the Tools\n\n- Navigate to the `Deploying Sysmon` folder on the desktop. This contains all necessary tools: Sysmon binary, configuration file, and Atomic Red Team scripts.\n\n\n## Task 2: Install Sysmon with Configuration\n\n- Use the provided `Sysmon64.exe` and `sysmonconfig-export.xml` to install **Sysmon** as a system service with a threat-detection-focused configuration. \n- This enables detailed event logging for key activities like process creation and network connections.\n\n\n## Task 3: Verify Sysmon Logging\n\n- Open **Event Viewer** and confirm that Sysmon is logging events in `Microsoft > Windows > Sysmon > Operational`. \n- In order to verify that Sysmon is logging events, check for entries like process creation (**Event ID 1**) to ensure proper operation.\n\n\n## Task 4: Setup Atomic Red Team & Run a Simulated Attack\n\n- Load the **Atomic Red Team** PowerShell module from the local folder. This framework simulates attacker techniques mapped to the **MITRE ATT&CK** matrix.\n- Execute a benign test for `T1059.001` \u2013 PowerShell Execution using Atomic Red Team. This simulates an attacker using PowerShell to execute a command, commonly seen in real-world intrusions.\n- Return to the **Sysmon Event Log** and locate the event generated by the Atomic test. Pay attention to process names, command-line arguments, and parent-child relationships.", "tasks_html": "

Task 1: Locate the Tools

\n\n

Task 2: Install Sysmon with Configuration

\n\n

Task 3: Verify Sysmon Logging

\n\n

Task 4: Setup Atomic Red Team & Run a Simulated Attack

\n", "published_date": "2025-06-30T21:22:31.064324Z", "solutions": "## Task 1: Locate the Tools\n\n### Objective\nAccess the lab tools required to install and test Sysmon from the designated folder on the desktop.\n\n### Steps\n1. Navigate to the **Desktop** on the Windows system.\n\n2. Open the folder named: `Deploying Sysmon`\n\n![image0](https://assets.ine.com/lab/learningpath/8bd5b7f1461d3176163b3b1fd18037c4d4bd0478c5434155759b309ed221f9ef.png)\n\n3. Inside this folder, you will find multiple ZIP archives. To begin with, verify the presence of the following key items:\n\n- `Sysmon.zip`\n- `sysmon-config-master.zip`\n\n![image2](https://assets.ine.com/lab/learningpath/a7ebf03eb4eff55f4c2ffcf6534698562d90dbbad037610bc78ba9b57a697d99.png)\n\nOnce you've located and confirmed all required files are present, you are ready to proceed to the next task: **installing Sysmon**.\n\n\n## Task 2: Install Sysmon with Configuration\n\n### Objective \nInstall `Sysmon` as a **Windows service** using the provided configuration file to enable enhanced system activity logging.\n\n### Steps\n1. Extract the `Sysmon.zip` ZIP archive. In the extracted folder, you will find three Sysmon executables, in this case, the most appropriate installer is `Sysmon64.exe`.\n\n![image1](https://assets.ine.com/lab/learningpath/f776edfc6701cb901ac3d8169147d8b45d1351353a1ad93055fcfdcf93f05549.png)\n\n\nBefore installing Sysmon, you will need to extract the ZIP archive containing the custom Sysmon configuration file. \n\n\n2. Navigate back to the Deploying Sysmon folder and extract the `sysmon-config-master.zip` ZIP archive. \n\n\n![image3](https://assets.ine.com/lab/learningpath/77302d5cbdfe660a685a29fe2c64d8a67aa4839be13b2d0dd6455a1699ffb788.png)\n\n\nInside the extracted folder, you will find the custom Sysmon config file: `sysmonconfig-export.xml`\n\n\n![image4](https://assets.ine.com/lab/learningpath/f1f8a0743e94abb585ae3bcde2e53390029faf32656c318597ea1cb2bb378243.png)\n\n\nCopy this file to the Sysmon folder you extracted earlier that contains the Sysmon installer.\n\n\n3. Once you have copied the custom Sysmon configuration file in to the folder containing the Sysmon installer executable, open a PowerShell window in the folder.\n\n\nThis can be done by holding the **SHIFT key and right-clicking** inside the folder and clicking on the `Open PowerShell window here` option as shown in the following screenshot.\n\n\n![image6](https://assets.ine.com/lab/learningpath/1b6f023bd649c1663cca75ccb0c863fbf7eff8b7c6a2dbf5dcead6b12da0ad2c.png)\n\n\n4. Run the Sysmon installation command with the configuration file:\n\n```\nSysmon64.exe -accepteula -i sysmonconfig-export.xml\n```\n\n![image7](https://assets.ine.com/lab/learningpath/969fc95aa0a151a702ce7d6ae70dfda7de89eb955d9ff9bef97becebe9529df8.png)\n\n\nAs shown in the preceding screenshot, you should see a confirmation message indicating Sysmon has been installed as a system service.\n\n\n5. In order to verify that the Sysmon64 service is running, you can use the Windows Services utility to check the status of installed services.\n\n\nAs shown in the following screenshot, the Sysmon64 service should be in a \"Running\" state. \n\n\n![image5](https://assets.ine.com/lab/learningpath/feb71707211f7c32fb12f30103bc8368b34d3ade8ef87f05024650968f6e94ce.png)\n\n\nOnce confirmed, proceed to Task 3 to verify logging.\n\n\n## Task 3: Verify Sysmon is Logging\n\n### Objective\nEnsure that Sysmon is actively logging system events and writing them to the Windows Event Log.\n\n\n### Steps\n1. Open **Event Viewer**:\n- Press `Windows + R`, type `eventvwr`, and press **Enter**.\n\n\n\n2. In the left-hand panel, navigate to\n\n```\nApplications and Services Logs > Microsoft > Windows > Sysmon > Operational\n```\n\n![image8](https://assets.ine.com/lab/learningpath/22a7b0fe3c19961506caf8d3f21596a82ab3a876f212bdad5906405f110469d9.png)\n\n\n3. Wait a few seconds for events to populate. You should start seeing event entries with IDs like:\n- **Event ID 1** \u2013 Process creation\n- **Event ID 3** \u2013 Network connection\n- **Event ID 11** \u2013 File creation\n\n\n![image9](https://assets.ine.com/lab/learningpath/145a47186f3af9791d4cf85c3411818323dd3beb01de601d84bafdf9c06beaaa.png)\n\n\n4. A good way to verify Sysmon logging is to execute a PowerShell command frequently used by attackers/threats for the purposes of Discovery:\n\n\n```\nwhoami /priv\n```\n\nThis command enumerates the working privilege set for the user you are currently using or have access to, in this case, the user account you have access to is the \"Administrator\" account. \n\n\nAs shown in the following screenshot, Sysmon logs this command and provides enhanced information that better contextualizes the event log.\n\n\n![image10](https://assets.ine.com/lab/learningpath/ec4dfb4e3ef9b4a061c5283a0023fbb5d9082779632e72af7477dc98ac38197f.png)\n\n\n### Confirmation\nIf you see these events, Sysmon is working correctly and capturing system activity. You are now ready to simulate malicious activity in Task 4 using Atomic Red Team.\n\n\n\n## Task 4: Setup Atomic Red Team & Run a Simulated Attack\n\n### Objectives\n\n- Prepare the Atomic Red Team testing environment to simulate adversary techniques on the Windows system.\n- Use Atomic Red Team to simulate the creation of a Scheduled Task for purposes of persistence; a technique commonly seen in real-world compromises.\n- Review Sysmon logs to identify evidence of the simulated attack, verifying detection.\n\n\n### Steps\n1. Open a PowerShell session with Administrative privileges and navigate to the following directory: `C:\\AtomicRedTeam`\n\nAs shown in the following screenshot, inside the folder, you will find another folder called: `invoke-atomicredteam`. This folder contains the **Atomic Red Team** PowerShell module.\n\n![image14](https://assets.ine.com/lab/learningpath/0b457ec4f7e72fb09c0b5a2fcd02057252ff9d8cdc0ae0ed9d9f3ce5529bbb79.png)\n\n\n2. Navigate into the `invoke-atomicredteam` folder and import the module: `Invoke-AtomicRedTeam.psd1`.\n\n\n```\nImport-Module Invoke-AtomicRedTeam.psd1\n```\n\n![image11](https://assets.ine.com/lab/learningpath/b155f2c5af8994cc05ab7beb716c03b77a8020feab565a65727433eaa133b19b.png)\n\n\nOnce the module is imported and commands are visible, you're ready to execute an Atomic test to emulate/simulate adversarial activity.\n\n\n3. Simulating Scheduled Task Creation (T1053.005)\n\nIn the same PowerShell session, run the folllowing command:\n\n```\nInvoke-AtomicTest T1053.005 -TestNumbers 1\n```\n\n![image13](https://assets.ine.com/lab/learningpath/884783006b200c3ef2decd939e5e93ab1e3ac5485536666eb25904341de20774.png)\n\n\nThis Atomic Test will simulate the creation and deletion of a non-malicious Windows Scheduled Task.\n\n\n4. Review Sysmon logs to identify evidence of the simulated PowerShell execution, verifying detection.\n\nOpen **Event Viewer** again if not already open and navigate to:\n\n```\nApplications and Services Logs > Microsoft > Windows > Sysmon > Operational\n```\n\nLook for:\n\n- **Event ID 1**: A `powershell.exe` process with a command line matching the atomic test.\n- Parent process details and user context.\n\n As shown in the following screenshot the Atomic Tes T1053.005 triggers Sysmon Event ID 1 and possibly 4698 in the Security log/Channel.\n\n![image12](https://assets.ine.com/lab/learningpath/42b071fe038a9a26be963ff4a646e8d94a2086ee6ad9fe59dc98570dedbda114.png)\n\n---\n\n## Reflection Point \nEvaluate what Sysmon captured and consider how this information supports incident response and threat detection.\n\n### Discussion Points\n\n- What specific details did Sysmon capture about the PowerShell execution?\n - Executable name, command line, hashes, user context, parent process, etc.\n- How might this event help an incident responder?\n- Would this activity be flagged by an EDR or SIEM?\n- What additional events could help confirm or dismiss malicious intent?\n\n\n## Conclusion\nUnderstanding what Sysmon logs and how it relates to simulated adversary behavior is key to building an effective detection strategy. This reflection helps bridge tool output with real-world security use cases.", "solutions_html": "

Task 1: Locate the Tools

\n

Objective

\n

Access the lab tools required to install and test Sysmon from the designated folder on the desktop.

\n

Steps

\n
    \n
  1. \n

    Navigate to the Desktop on the Windows system.

    \n
    2. \n
  2. \n

    Open the folder named: Deploying Sysmon

    \n
    3. \n
\n

\"image0\"

\n
    \n
  1. \n

    Inside this folder, you will find multiple ZIP archives. To begin with, verify the presence of the following key items:

    \n
    2. \n
  2. \n

    Sysmon.zip

    \n
    3. \n
  3. sysmon-config-master.zip
    4. \n
\n

\"image2\"

\n

Once you've located and confirmed all required files are present, you are ready to proceed to the next task: installing Sysmon.

\n

Task 2: Install Sysmon with Configuration

\n

Objective

\n

Install Sysmon as a Windows service using the provided configuration file to enable enhanced system activity logging.

\n

Steps

\n
    \n
  1. Extract the Sysmon.zip ZIP archive. In the extracted folder, you will find three Sysmon executables, in this case, the most appropriate installer is Sysmon64.exe.
    2. \n
\n

\"image1\"

\n

Before installing Sysmon, you will need to extract the ZIP archive containing the custom Sysmon configuration file.

\n
    \n
  1. Navigate back to the Deploying Sysmon folder and extract the sysmon-config-master.zip ZIP archive.
    2. \n
\n

\"image3\"

\n

Inside the extracted folder, you will find the custom Sysmon config file: sysmonconfig-export.xml

\n

\"image4\"

\n

Copy this file to the Sysmon folder you extracted earlier that contains the Sysmon installer.

\n
    \n
  1. Once you have copied the custom Sysmon configuration file in to the folder containing the Sysmon installer executable, open a PowerShell window in the folder.
    2. \n
\n

This can be done by holding the SHIFT key and right-clicking inside the folder and clicking on the Open PowerShell window here option as shown in the following screenshot.

\n

\"image6\"

\n
    \n
  1. Run the Sysmon installation command with the configuration file:
    2. \n
\n
Sysmon64.exe -accepteula -i sysmonconfig-export.xml
\n\n

\"image7\"

\n

As shown in the preceding screenshot, you should see a confirmation message indicating Sysmon has been installed as a system service.

\n
    \n
  1. In order to verify that the Sysmon64 service is running, you can use the Windows Services utility to check the status of installed services.
    2. \n
\n

As shown in the following screenshot, the Sysmon64 service should be in a \"Running\" state.

\n

\"image5\"

\n

Once confirmed, proceed to Task 3 to verify logging.

\n

Task 3: Verify Sysmon is Logging

\n

Objective

\n

Ensure that Sysmon is actively logging system events and writing them to the Windows Event Log.

\n

Steps

\n
    \n
  1. Open Event Viewer:
    2. \n
  2. \n

    Press Windows + R, type eventvwr, and press Enter.

    \n
    3. \n
  3. \n

    In the left-hand panel, navigate to

    \n
    4. \n
\n
Applications and Services Logs > Microsoft > Windows > Sysmon > Operational
\n\n

\"image8\"

\n
    \n
  1. Wait a few seconds for events to populate. You should start seeing event entries with IDs like:
    2. \n
  2. Event ID 1 \u2013 Process creation
    3. \n
  3. Event ID 3 \u2013 Network connection
    4. \n
  4. Event ID 11 \u2013 File creation
    5. \n
\n

\"image9\"

\n
    \n
  1. A good way to verify Sysmon logging is to execute a PowerShell command frequently used by attackers/threats for the purposes of Discovery:
    2. \n
\n
whoami /priv
\n\n

This command enumerates the working privilege set for the user you are currently using or have access to, in this case, the user account you have access to is the \"Administrator\" account.

\n

As shown in the following screenshot, Sysmon logs this command and provides enhanced information that better contextualizes the event log.

\n

\"image10\"

\n

Confirmation

\n

If you see these events, Sysmon is working correctly and capturing system activity. You are now ready to simulate malicious activity in Task 4 using Atomic Red Team.

\n

Task 4: Setup Atomic Red Team & Run a Simulated Attack

\n

Objectives

\n\n

Steps

\n
    \n
  1. Open a PowerShell session with Administrative privileges and navigate to the following directory: C:\\AtomicRedTeam
    2. \n
\n

As shown in the following screenshot, inside the folder, you will find another folder called: invoke-atomicredteam. This folder contains the Atomic Red Team PowerShell module.

\n

\"image14\"

\n
    \n
  1. Navigate into the invoke-atomicredteam folder and import the module: Invoke-AtomicRedTeam.psd1.
    2. \n
\n
Import-Module Invoke-AtomicRedTeam.psd1
\n\n

\"image11\"

\n

Once the module is imported and commands are visible, you're ready to execute an Atomic test to emulate/simulate adversarial activity.

\n
    \n
  1. Simulating Scheduled Task Creation (T1053.005)
    2. \n
\n

In the same PowerShell session, run the folllowing command:

\n
Invoke-AtomicTest T1053.005 -TestNumbers 1
\n\n

\"image13\"

\n

This Atomic Test will simulate the creation and deletion of a non-malicious Windows Scheduled Task.

\n
    \n
  1. Review Sysmon logs to identify evidence of the simulated PowerShell execution, verifying detection.
    2. \n
\n

Open Event Viewer again if not already open and navigate to:

\n
Applications and Services Logs > Microsoft > Windows > Sysmon > Operational
\n\n

Look for:

\n\n

As shown in the following screenshot the Atomic Tes T1053.005 triggers Sysmon Event ID 1 and possibly 4698 in the Security log/Channel.

\n

\"image12\"

\n
\n

Reflection Point

\n

Evaluate what Sysmon captured and consider how this information supports incident response and threat detection.

\n

Discussion Points

\n\n

Conclusion

\n

Understanding what Sysmon logs and how it relates to simulated adversary behavior is key to building an effective detection strategy. This reflection helps bridge tool output with real-world security use cases.

", "flags": [], "min_points_to_pass": null, "access_type": "default", "user_status": "unstarted", "user_lab_status": null, "user_status_modified": null, "user_flags": [], "global_running_session": null }