{"id":4494,"date":"2017-12-11T00:06:32","date_gmt":"2017-12-11T00:06:32","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4494"},"modified":"2018-06-29T23:33:08","modified_gmt":"2018-06-29T23:33:08","slug":"sysmon-doing-lines-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/12\/11\/sysmon-doing-lines-part-2\/","title":{"rendered":"Sysmon doing lines, part 2"},"content":{"rendered":"<p>Sysmon is a cool tool and we love it. Sometimes it does not work as expected <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/10\/02\/sysmon-doing-lines\/\">though<\/a>.<\/p>\n<p>It&#8217;s late so just dropping another recipe here:<\/p>\n<ul>\n<li>Name your DLL wevtapi.dll<\/li>\n<li>Run sysmon.exe -u to &#8230; &#8216;uninstall&#8217; it<\/li>\n<li>Your DLL will be loaded<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_winevt_dll-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-4496\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_winevt_dll-1.png\" alt=\"\" width=\"480\" height=\"345\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_winevt_dll-1.png 480w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_winevt_dll-1-300x216.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_winevt_dll-1-222x160.png 222w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><\/a><\/p>\n<p>You can also drop Riched32.dll in the same directory and try to &#8216;install&#8217; sysmon &#8211; you will notice the EULA box is loaded incorrectly, because the side-loaded Riched32.dll DLL will take over and will execute your code.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_Riched32.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-4499\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_Riched32.png\" alt=\"\" width=\"470\" height=\"320\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_Riched32.png 470w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/sysmon_Riched32-300x204.png 300w\" sizes=\"(max-width: 470px) 100vw, 470px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sysmon is a cool tool and we love it. Sometimes it does not work as expected though. It&#8217;s late so just dropping another recipe here: Name your DLL wevtapi.dll Run sysmon.exe -u to &#8230; &#8216;uninstall&#8217; it Your DLL will be &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/12\/11\/sysmon-doing-lines-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,61],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4494"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4494"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4494\/revisions"}],"predecessor-version":[{"id":5037,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4494\/revisions\/5037"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}