Sysmon TryHackMe Walkthrough

8 min readSep 7, 2023

TL;DR Walkthrough of the TryHackMe Sysmon room, part of the Cyber Defense pathway.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.


There are other good walkthroughs of the Sysmon room out there, this was a good one for example.

However they used Event Viewer instead of PowerShell. In a small evtx file such as TryHackMe provided for this one can get away with that approach. However given live logs in even a small home lab environment that tactic quickly becomes unworkable. That is why we used PowerShell to set the SACLs to define what gets logged, trigger the event, and then query the logs to pull meaningful data here.

We will start by running through the questions, our query to find the relevant data, and the answers.

It is quite helpful to keep a quick & dirty cheatsheet of Sysmon Event Ids handy while creating these queries. TryHackMe didn’t include one in the room and didn’t list all Event Ids, so I’ll put ours here.

Sysmon Event Id cheatsheet

| # | Sysmon Event |
| 1 | Process creation |
| 3 | Network connection |
| 5 | Process terminated |
| 7 | Image loaded |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | RegistryEvent (Object create & delete) |
| 13 | RegistryEvent (Value Set) |
| 14 | RegistryEvent (Key & Value Rename) |
| 15 | FileCreateStreamHash |
| 22 | DNSEvent (DNS query) |

Important Admin Note

I downloaded the task files from TryHackMe and found the answers using them. The Message Property in the Events from the task files were all blank.

If you query the evtx files on THM’s VM in the C:\Users\THM-Analyst\Desktop\Scenarios\Investigations folder then the Event Ids have data in their Message Property.

Hence I used the Properties below. I spot checked a couple of these and they work fine on THM’s VM’s files as well. You might just prefer to use the Message if you complete this room on THM’s VM.

Task 4 Cutting out the Noise

How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

$Network_Events = Get-WinEvent -Path “C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx” | Where-Object {$_.Id -eq “3”}



What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

$LastOne = $Network_Events | Select-Object -Last 1


2021–01–06 01:35:50.464

THM wants the UtcTime, not the TimeCreated.

Task 10 Practical Investigations

— — Investigation 1 — -

What is the full registry key of the USB device calling svchost.exe in Investigation 1?

We are looking for Event Id 12, 13, or 14 that reference svchost.exe

$Registry_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {(($_.Id -eq "12") -or ($_.Id -eq "13") -or ($_.Id -eq "14")) -and ($_.Properties[4].Value -like "*svchost.exe*")} | Select-Object *



What is the device name when being called by RawAccessRead in Investigation 1?

We are looking for an Event Id 9 that references svchost.exe

$Read_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "9") -and ($_.Properties.Value -like "*svchost.exe*")} | Select-Object *

($Read_Event | Select-Object -First 1).Properties[4].Value


What is the first exe the process executes in Investigation 1?

We are looking for the first Event Id 1 that happened after the Event Id 9 from the last question.

$Time = ($Read_Event | Select-Object -First 1).TimeCreated

(Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "1") -and ($_.TimeCreated -ge $Time)} | Select-Object -Last 1).Properties[8].Value


— — Investigation 2 — -

What is the full path of the payload in Investigation 2?

We took an educated guess that the payload was an hta file as THM used them for reverse shells previously.

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq “1”) -and ($_.Properties.Value -like “*hta*”)}).Properties.Value
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties.Value[9]

C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta

What is the full path of the file the payload masked itself as in Investigation 2?

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[20].Value


What signed binary executed the payload in Investigation 2?

We already found this in the first question’s query; it’s the legitimate executable than ran opened the *.hta file.

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[4].Value


What is the IP of the adversary in Investigation 2?

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties[14].Value

What back connect port is used in Investigation 2?

To pull just the IP use [16]

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties.Value[16]


— — Investigation 3.1 — -

What is the IP of the suspected adversary in Investigation 3.1?

There’s only three Event Id 3 instances in this evtx file, and one can tell at a glance that it’s the attacker & compromised system talking back & forth. We can pull the specific data point of the attacker’s IP via:

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[13]

What is the hostname of the affected endpoint in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[9]


What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[14]


Where in the registry was the payload stored in Investigation 3.1?

There’s only two Event Id 13 entries in the evtx, and one will notice at a glance that the first one runs the second one.

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -Last 1).Properties.Value[5]


What PowerShell launch code was used to launch the payload in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -First 1).Properties.Value[6]

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \”-enc $x\” powershell”;exit;

Notice that ‘gp’ is an alias for ‘Get-ItemProperty’, in other words it is pulling a value from HKLM:Software\Microsoft\Network\debug and executing it in a hidden PowerShell window. This is obviously suspicious. We will return to this after the questions are all answered.

— — Investigation 3.2 — -

What is the IP of the adversary in Investigation 3.2?

$Events = Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {$_.Id -eq "3"}



What is the full path of the payload location in Investigation 3.2?

(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[8]

“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get

String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””

We’re looking for just the path to the payload itself, so just copy/paste the text file path that cmd.exe is reading and then passing the contents of to PowerShell to execute. On a side note, it’s a nifty obfuscation technique


What was the full command used to create the scheduled task in Investigation 3.2?

We just copy/pasted the path from it above, so the answer to this one is simply the full scheduled task.

“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get

String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””

What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

We are looking for Event Id 10 ProcessAccess and schtasks.

(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "10") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[4]


TryHackMe only wants the process, not the full path so:


— — Investigation 4 — -

What is the IP of the adversary in Investigation 4?

$Network_Events = Get-WinEvent -Path .\Investigation-4.evtx | Where-Object {$_.Id -eq "3"}



What port is the adversary operating on in Investigation 4?



What C2 is the adversary utilizing in Investigation 4?



Base64 PowerShell commands

Remember the last question in Investigation 3.1? The command pulls a value from the registry and executes it in PowerShell?

TryHackMe didn’t ask about the command itself but I was curious.

$Registry_Events = Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"}

$Base64 = $Registry_Events[1].Properties.Value[6]

$DecodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$Base64"))


IEX is an alias for Invoke-Expression, which runs a string as a command. If you Google “Invoke-Expression” the first thing that comes up is about using it to obfuscate PowerShell execution flow.

I broke the one liner up into the if else statements, multiple commands, etc and made some sense of it. It appears to create a connection to http://empire2:80/admin/get.php using a hard coded cookie value, download something, and then pass it to Invoke-Expression.

Microsoft Defender wasn’t fooled by the way.


Together with the Windows Event Logs room this was really good practice at analyzing logs and parsing data in general.

If this walkthrough helps anyone else then that’s a bonus, but I mostly took these notes so I could refer back to them rather than memorizing how to query Sysmon logs.

We covered the attacker TTP of using Base64 encoded commands briefly before here. I’m not sure why running Base64 commands is even a feature in Windows, but then I don’t know why automatically downloading Office templates from the Internet was either. Needless to say your SIEM should be screening for Base64 and obfuscated commands in general.


Good Sysmon writeup, uses Event Viewer instead of PowerShell:

CredentailCache.DefaultNetwork Credentials Property:

Sysmon Event Id list:


Attacker TTPs RE obfuscating Invoke-Expression:,both%20local%20and%20remote%20payloads.


Macro injection from a remote template:

ASCII Table Creator:




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.