Setting Up the Victim Machine

5 min readMay 2, 2024

Sysmon was initially designed to aid in troubleshooting, analyzing and monitoring Windows systems. Sysmon offers enhanced system event monitoring due to the amount of data it generates.

Once you have your Windows 11 machine booted up, download sysmon from the official website: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon.

After downloading zipped file, unzip it to your desired location.

Get the configuration file by going to https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml.

While on the page, click raw on upper right.

Right click on the webpage > save as > save it in the same directory as the extracted Sysmon files.

Open admin powershell and navigate to the location of the extracted Sysmon executables.

Afterwards, type sysmon64.exe -i [<configfile>].

To verify if Sysmon was installed, access the Services menu and search for it there.

You can also find be going to Event Viewer > Application and services > Microsoft > Windows > Sysmon.

We will now download Atomic Red Team. Before we do so, it is necessary to disable Windows Security as it may immediately block Atomic Red Team.

Search for Windows Security, then navigate to Virus & Threat Protection. Under Virus & threat protection settings, select Manage settings.

Disable everything: Real-time Protection, Dev Drive Protection, Cloud-delivered Protection, Automatic Sample Submission and Tamper Protection.

We will be using Atomic Red Team to emulate threat actor behaviors, techniques, and tactics. For more information about ART, please visit their github page (https://github.com/redcanaryco/atomic-red-team/wiki/).

Open admin powershell. Type in the command Set-ExecutionPolicy RemoteSigned. This will allow us to execute downloaded scripts from the internet.

Download ART by typing the following commands:

IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1 -UseBasicParsing);

Install-AtomicRedTeam -getAtomics

Enter Y for yes when prompted to install NuGet.

Navigate to the C Drive and verify if everything was downloaded correctly.

Now that we have both Sysmon and ART installed, we only need to forward the logs to our SIEM.

Go to the Downloads folder and run the universal forwarder executable.

Accept the license agreement and make sure On-premise Splunk Enterprise instance is selected. Click next.

Create your credentials for the admin account.

Type in the IP address of our Splunk machine and use the default port 8089.

Enter the IP address of our Splunk machine and use the default port 9997.

Click install and select Yes on the UAC pop-up screen.

Click finish.

This will forward our Windows Event logs. However, we need to make some changes to forward the Sysmon logs to our Splunk machine.

Open up notepad and run it as administrator. Afterwards enter the details as show below:

Save the file as inputs.conf and make sure to save it in the following location: C:\Program Files\SplunkUniversalForwarder\etc\system\local.

Next, we need to restart the Splunk forwarder service. On Windows, do a search and open the Services application. Look for the SplunkForwarder service.

Double click on the SplunkForwarder service and click on the Log On tab. Select Local System account.

Click apply. You will get a notification informing us to restart the service.

Click ok on the pop up and ok again to close the SplunkForwarder service window. Right click on the aforementioned service and select restart.

We are almost done setting up the machine. Power down the machine and change the network adapter to the one we created earlier.

Power up the machine. We will now set a static IP address on this VM. Go to Run > type in ncpa.cpl. This will open the Network Connections window. Right click on the adapter > Properties > Internet Protocol version 4 (TCP/IPv4) > select properties.