In this module

PT1.3 Windows Endpoint Build with Sysmon

4-8 hours · Module 1 · Free

What you already know

You've installed Windows before. You know what Event Viewer is. This sub gets you from a fresh ISO to a Sysmon-instrumented endpoint with Atomic Red Team installed — the primary target for most of the course's technique subs. Every step is shown with the exact commands and expected output. If something goes wrong, the troubleshooting sections cover the most common failures.

Operational Objective

The Windows endpoint is the primary target environment. Most technique subs fire their attack against this VM and check whether Sysmon captures the telemetry. This sub builds the VM, installs Sysmon with a detection-optimized configuration, installs Atomic Red Team for technique execution, and verifies that events are being generated. By the end, you'll fire a test command and confirm Sysmon Event 1 appears in Event Viewer.

Deliverable: A running Windows 10/11 VM with Sysmon producing events and Atomic Red Team installed and ready to execute techniques.

Estimated completion: 45–60 minutes

Step 1: Create the VM

The instructions below cover all three hypervisors. Follow the section for yours and skip the other two.

VirtualBox

Open VirtualBox Manager. Click New (top toolbar). Fill in the wizard:

Name:             PT-WIN-ENDPOINT
Folder:           (leave default or choose a drive with space)
ISO Image:        (browse to your Windows 11 Enterprise Evaluation ISO)
Type:             Microsoft Windows
Version:          Windows 11 (64-bit)
☑ Skip Unattended Installation   ← CHECK THIS (you want to control the install)

Click Next. Hardware settings:

Base Memory:      4096 MB  (2048 minimum — 4096 recommended)
Processors:       2 CPUs

Click Next. Virtual Hard Disk:

☑ Create a Virtual Hard Disk Now
Disk Size:        40 GB
☑ Pre-allocate Full Size:  UNCHECKED (dynamic allocation saves disk space)

Click Finish. The VM appears in the sidebar but don't start it yet.

Add the second network adapter. Select the VM → Settings → Network:

Adapter 1 is already set to NAT (internet access) — leave it
Click the Adapter 2 tab → check Enable Network Adapter
Attached to: Host-only Adapter
Name: select the host-only network you created in PT1.2 (e.g. vboxnet0)
Click OK

Hyper-V

Open Hyper-V Manager. In the right panel, click New → Virtual Machine. Follow the wizard:

Name:             PT-WIN-ENDPOINT
Location:         (leave default or choose a drive with space)
Generation:       Generation 2  (required for Windows 11 — UEFI boot)
Memory:           4096 MB
                  ☑ Use Dynamic Memory: CHECKED
Network:          Connect to: Default Switch  (provides NAT internet access)
Hard Disk:        Create a virtual hard disk
                  Size: 40 GB
Install Options:  Install an OS from a bootable image file
                  Browse → select your Windows 11 ISO

Click Finish. Before starting the VM, add the second network adapter:

Right-click the VM → Settings → Add Hardware → Network Adapter → Add:

Virtual Switch:   PurpleTeamLab  (the internal switch you created in PT1.2)

Also in Settings, under Security, confirm:

☑ Enable Secure Boot    Template: Microsoft UEFI Certificate Authority
☑ Enable Trusted Platform Module (TPM)

Windows 11 requires Secure Boot and TPM. Hyper-V Gen 2 provides both. If you see a boot error about TPM later, come back here and confirm these are checked.

Click OK.

VMware Workstation Player

Open VMware Workstation Player. Click Create a New Virtual Machine.

Install disc image file (ISO):  Browse → select your Windows 11 ISO
Guest OS:          Microsoft Windows
Version:           Windows 11 x64
VM Name:           PT-WIN-ENDPOINT
Disk:              40 GB
                   ☑ Split virtual disk into multiple files

Click Customize Hardware before finishing:

Memory:            4096 MB
Processors:        2
Network Adapter:   NAT  (already set — this is Adapter 1)

Click Add → Network Adapter → Finish:

Network Adapter 2: Host-only  (uses VMnet1 by default)

Click Close → Finish.

Step 2: Install Windows

Start the VM. It boots from the ISO.

What you'll see and what to select at each screen:

Language, time, keyboard — leave defaults (or set your locale), click Next
Install now — click it
Product key — click "I don't have a product key" (evaluation licence)
Select edition — choose "Windows 11 Enterprise Evaluation" (not Pro, not Education — Enterprise has the richest audit capabilities and Group Policy support)
Licence terms — check the box, click Next
Installation type — choose "Custom: Install Windows only (advanced)"
Disk selection — select Drive 0 Unallocated Space → click Next

Windows installs. The VM reboots. This takes 5–15 minutes depending on your disk speed.

After reboot, the out-of-box experience (OOBE) starts:

Region and keyboard — select yours, click Yes / Skip for second keyboard
Network — if prompted to connect to a network, look for "I don't have internet" or press Shift+F10 to open a command prompt and run OOBE\BYPASSNRO then restart — this lets you create a local account without a Microsoft account
Name your device — enter PT-WIN-ENDPOINT, click Next
How would you like to set up this device — choose "Set up for work or school" then "Sign-in options" → "Domain join instead" (this creates a local account)
Who's going to use this device — enter labadmin
Password — enter a password you'll remember. You'll type it often. Confirm it.
Security questions — fill in three (anything is fine for a lab)
Privacy settings — turn everything off, click Accept

Windows finishes setup. You land on the desktop logged in as labadmin.

If Windows 11 refuses to install without internet or a Microsoft account: this is common on newer builds. The OOBE\BYPASSNRO command at step 9 handles it. If that doesn't work, at the network screen, press Shift+F10 and run:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f
shutdown /r /t 0

The VM reboots and the OOBE restarts with an "I don't have internet" option.

Step 3: Install guest tools and disable sleep

Guest tools give you clipboard sharing, drag-and-drop, and proper display resolution. Without them the VM runs in a small fixed window.

VirtualBox: in the VM window menu bar → Devices → Insert Guest Additions CD image. Open File Explorer in the VM → open the CD drive → run VBoxWindowsAdditions.exe. Follow the installer, reboot when prompted.

Hyper-V: Guest integration services are built in — no install needed. If clipboard sharing isn't working, on the host in Hyper-V Manager → right-click the VM → Settings → Integration Services → confirm Guest services is checked.

VMware: in the VM window menu bar → Player → Manage → Install VMware Tools. Open File Explorer in the VM → open the D: drive → run setup64.exe. Follow the installer, reboot when prompted.

Disable sleep and screen lock so the VM doesn't lock while you're working on other VMs:

# Disable sleep (keeps VM running when you switch to another VM)
powercfg /change standby-timeout-ac 0
powercfg /change monitor-timeout-ac 0

# Disable lock screen timeout
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v NoLockScreen /t REG_DWORD /d 1 /f

Step 4: Disable Windows Defender real-time protection (temporarily)

Some attack tools and Atomic Red Team test binaries will be flagged by Defender. For the lab, disable real-time protection so the tools can run. You'll re-enable it selectively when testing defense evasion techniques in Module 6.

# Disable real-time protection (requires running as Administrator)
Set-MpPreference -DisableRealtimeMonitoring $true

# Confirm it's disabled
Get-MpPreference | Select-Object DisableRealtimeMonitoring

DisableRealtimeMonitoring
-------------------------
                     True

Note: Windows may re-enable this after a reboot. If you find attack tools being quarantined after a restart, run the command again. Alternatively, add exclusion folders:

# Exclude the Atomic Red Team directory and a tools directory from scanning
Add-MpPreference -ExclusionPath "C:\AtomicRedTeam"
Add-MpPreference -ExclusionPath "C:\Tools"

Step 5: Set a static IP on the internal network

The internal adapter needs a static IP so other lab VMs can reach this endpoint reliably. Open PowerShell as administrator.

First, identify which adapter is the internal one:

Get-NetAdapter | Format-Table Name, Status, InterfaceDescription, MacAddress

Name         Status  InterfaceDescription                    MacAddress
----         ------  --------------------                    ----------
Ethernet     Up      Intel(R) PRO/1000 MT Desktop Adapter    08-00-27-A1-B2-C3
Ethernet 2   Up      Intel(R) PRO/1000 MT Desktop Adapter #2 08-00-27-D4-E5-F6

The first adapter (Ethernet) is NAT — it has internet access. The second (Ethernet 2) is the internal/host-only adapter. You can confirm which is which:

# The NAT adapter will have a default gateway; the internal one won't
Get-NetIPConfiguration | Format-Table InterfaceAlias, IPv4Address, IPv4DefaultGateway

InterfaceAlias  IPv4Address        IPv4DefaultGateway
--------------  -----------        ------------------
Ethernet        {10.0.2.15}        {10.0.2.2}
Ethernet 2      {}                 {}

Ethernet 2 has no IP and no gateway — that's the internal adapter. Set the static IP:

# Set a static IP on the internal adapter
# Replace "Ethernet 2" with your actual internal adapter name if different
New-NetIPAddress -InterfaceAlias "Ethernet 2" -IPAddress 10.0.0.10 -PrefixLength 24

IPAddress         : 10.0.0.10
InterfaceIndex    : 7
InterfaceAlias    : Ethernet 2
AddressFamily     : IPv4
PrefixLength      : 24

Verification:

# Confirm the IP is set
ping 10.0.0.10

Reply from 10.0.0.10: bytes=32 time<1ms TTL=128

Troubleshooting: if New-NetIPAddress returns "The object already exists", the adapter already has an IP. Remove it first:

Remove-NetIPAddress -InterfaceAlias "Ethernet 2" -Confirm:$false
New-NetIPAddress -InterfaceAlias "Ethernet 2" -IPAddress 10.0.0.10 -PrefixLength 24

Step 6: Install Sysmon

Sysmon is the telemetry engine. It runs as a system service and produces detailed event logs for process creation (Event 1), network connections (Event 3), image loads (Event 7), process access (Event 10), file creation (Event 11), registry changes (Event 13), and more. These are the events your detection rules will match on throughout the course.

First, set the execution policy so PowerShell scripts can run (the default on a fresh Windows install blocks them):

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force

Download Sysmon and the SwiftOnSecurity configuration:

# Create a tools directory
New-Item -ItemType Directory -Path "C:\Tools" -Force | Out-Null

# Download Sysmon
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" `
    -OutFile "C:\Tools\Sysmon.zip"

# Extract Sysmon
Expand-Archive "C:\Tools\Sysmon.zip" -DestinationPath "C:\Tools\Sysmon" -Force

# Download SwiftOnSecurity Sysmon configuration
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" `
    -OutFile "C:\Tools\sysmonconfig.xml"

# Verify the files exist
Get-ChildItem "C:\Tools\Sysmon\Sysmon64.exe", "C:\Tools\sysmonconfig.xml" |
    Select-Object Name, Length

Name                Length
----                ------
Sysmon64.exe        6543872
sysmonconfig.xml    128456

Troubleshooting: if Invoke-WebRequest fails with "unable to connect" or "certificate" errors, the VM may not have internet access. Check:

# Test internet connectivity
Test-NetConnection -ComputerName "download.sysinternals.com" -Port 443

If this fails, verify the NAT adapter is connected in the VM settings and has a default gateway (Get-NetIPConfiguration).

Install Sysmon with the configuration:

# Install Sysmon as a system service with the SwiftOnSecurity config
# The -accepteula flag prevents the EULA popup
& "C:\Tools\Sysmon\Sysmon64.exe" -accepteula -i "C:\Tools\sysmonconfig.xml"

System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using the configuration stored at C:\Tools\sysmonconfig.xml.
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

Verification — confirm Sysmon is running and producing events:

# Check the Sysmon service is running
Get-Service Sysmon64 | Select-Object Status, Name, DisplayName

Status  Name      DisplayName
------  ----      -----------
Running Sysmon64  Sysmon64

# Check events are being generated — should return recent events
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 5 |
    Select-Object TimeCreated, Id,
        @{N='EventType';E={
            switch ($_.Id) {
                1  { 'Process Create' }
                3  { 'Network Connection' }
                7  { 'Image Loaded' }
                10 { 'Process Access' }
                11 { 'File Create' }
                13 { 'Registry Value Set' }
                default { "Event $($_.Id)" }
            }
        }} |
    Format-Table

TimeCreated              Id EventType
-----------              -- ---------
25/04/2026 14:32:01       1 Process Create
25/04/2026 14:31:58      13 Registry Value Set
25/04/2026 14:31:55       7 Image Loaded
25/04/2026 14:31:52       3 Network Connection
25/04/2026 14:31:49       1 Process Create

If the log is empty or the Get-WinEvent command errors, Sysmon isn't capturing. Check:

# Is the service running?
Get-Service Sysmon64

# Was the config applied? Check the current config
& "C:\Tools\Sysmon\Sysmon64.exe" -c

If the service shows "Stopped", start it manually: Start-Service Sysmon64. If it won't start, check whether another Sysmon instance is already installed: sc query Sysmon64.

Step 7: Generate a test event and find it

Run a command that produces a distinctive Sysmon Event 1 (process creation):

# This produces a Sysmon Event 1 with a recognisable command line
whoami /all

Now find that event in the Sysmon log:

# Search for the whoami event in the last 50 events
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50 |
    Where-Object { $_.Id -eq 1 -and $_.Message -match "whoami" } |
    Select-Object TimeCreated, Id,
        @{N='CommandLine';E={($_.Properties[10]).Value}},
        @{N='User';E={($_.Properties[12]).Value}},
        @{N='ParentImage';E={($_.Properties[20]).Value}} |
    Format-List

TimeCreated  : 25/04/2026 14:35:22
Id           : 1
CommandLine  : whoami  /all
User         : PT-WIN-ENDPOINT\labadmin
ParentImage  : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

That's the event. Key fields:

Id: 1 — process creation
CommandLine — the exact command you ran
User — who ran it (currently the local admin; after domain join, this will show YOURLAB\t.ashworth)
ParentImage — what launched the process (PowerShell in this case)

When you fire attack techniques later, this is the exact same event type your detection rules will match on — just with procdump.exe -ma lsass.exe as the CommandLine instead of whoami /all.

Step 8: Install Atomic Red Team

Atomic Red Team is the framework for executing ATT&CK techniques in a standardised way. Each technique has pre-built "atomic tests" — numbered test cases with specific commands, expected outputs, and cleanup procedures.

# Set the execution policy to allow the install script
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

# Download and run the installer
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force

This downloads the framework and all atomic test definitions to C:\AtomicRedTeam\. The download is approximately 500 MB — it includes test binaries for many techniques. Wait for it to complete.

Troubleshooting: if the install fails with "Access denied" or antivirus blocks, confirm you disabled Defender real-time protection in Step 4. If it fails with "Cannot find path", run the IEX line again — the first run sometimes creates the directory structure without downloading all content.

Verification — confirm the framework is installed:

# Import the module
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

# List available tests for T1059.001 (PowerShell execution)
Invoke-AtomicTest T1059.001 -ShowDetailsBrief

PathToAtomicsFolder = C:\AtomicRedTeam\atomics
T1059.001-1 Mimikatz
T1059.001-2 Run BloodHound from local disk
T1059.001-3 Run Bloodhound from Memory using Download Cradle
T1059.001-4 ComponentBasedServicing & DISM Log File
T1059.001-5 Obfuscation Tests
T1059.001-6 Mimikatz - Cradled Invoke Expression
T1059.001-7 Mimikatz - Full Command Line Cradle
T1059.001-8 Invoke-Command

To make the module auto-load in every PowerShell session, add it to your profile:

# Create the PowerShell profile if it doesn't exist
if (!(Test-Path $PROFILE)) { New-Item -Path $PROFILE -Force | Out-Null }

# Add the import line
Add-Content $PROFILE 'Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force'

# Verify the profile exists and contains the import
Get-Content $PROFILE

Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

Don't run any attack tests yet. The smoke test in PT1.12 is the first real technique execution — by then, all three SIEMs will be connected and you'll verify detection across all of them.

Step 9: Install additional tools

# Install PowerShell 7 (cross-platform, used for some attack scripts)
winget install Microsoft.PowerShell --accept-package-agreements --accept-source-agreements

If winget isn't available (older evaluation ISOs may not include it), download PowerShell 7 manually:

Invoke-WebRequest -Uri "https://github.com/PowerShell/PowerShell/releases/download/v7.4.6/PowerShell-7.4.6-win-x64.msi" `
    -OutFile "C:\Tools\PowerShell7.msi"
Start-Process msiexec.exe -ArgumentList "/i C:\Tools\PowerShell7.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1" -Wait

Verify:

pwsh -v

PowerShell 7.4.6

# Install Git (needed to clone attack tool repos in later modules)
winget install Git.Git --accept-package-agreements --accept-source-agreements

# If winget unavailable, download manually:
# Invoke-WebRequest -Uri "https://github.com/git-for-windows/git/releases/download/v2.47.1.windows.1/Git-2.47.1-64-bit.exe" `
#     -OutFile "C:\Tools\Git-Install.exe"
# Start-Process "C:\Tools\Git-Install.exe" -ArgumentList "/VERYSILENT /NORESTART" -Wait

# Verify (open a NEW PowerShell window after install)
git --version

git version 2.47.1.windows.1

Step 10: Rename the computer

Give the VM a recognisable hostname so it's easy to identify in SIEM queries:

Rename-Computer -NewName "PT-WIN-ENDPOINT" -Force -Restart

The VM reboots. Log back in as labadmin. Confirm:

hostname

PT-WIN-ENDPOINT

Step 11: Snapshot the VM

Before any attacks run against this endpoint, take a snapshot. This is your clean baseline — if a technique breaks something or you want to reset the endpoint to a known state, revert to this snapshot.

VirtualBox: in the VM window menu → Machine → Take Snapshot. Name it Clean-Sysmon-Baseline. Or from the host command line:

VBoxManage snapshot "PT-WIN-ENDPOINT" take "Clean-Sysmon-Baseline"

Hyper-V: right-click the VM in Hyper-V Manager → Checkpoint. Or:

Checkpoint-VM -Name "PT-WIN-ENDPOINT" -SnapshotName "Clean-Sysmon-Baseline"

VMware: right-click the VM in the library → Snapshot → Take Snapshot. Name it Clean-Sysmon-Baseline.

Verification checklist

Before moving to PT1.4, confirm every item:

☐ Windows 10/11 VM running, logged in as labadmin
☐ Hostname is PT-WIN-ENDPOINT
☐ Two network adapters present (NAT + internal)
☐ NAT adapter has internet access (can reach download.sysinternals.com)
☐ Static IP 10.0.0.10 set on internal adapter
☐ Defender real-time protection disabled + exclusion paths set
☐ Sysmon64 service running
☐ Sysmon events visible (Get-WinEvent returns events)
☐ whoami test event found via PowerShell query
☐ Atomic Red Team installed (Invoke-AtomicTest available)
☐ ART module auto-imports in PowerShell profile
☐ PowerShell 7 installed (pwsh -v works)
☐ Git installed (git --version works)
☐ VM snapshot "Clean-Sysmon-Baseline" taken

If all fourteen pass, the endpoint is ready. This VM is the primary target for the majority of the course — credential dumping, process injection, defense evasion, lateral movement all fire against this machine.

PT1.4 — Active Directory Domain Controller Build. Create the Windows Server VM, install AD DS, create the lab domain, and configure the test accounts used throughout the course.

You've built the lab and understand the validation gap.

Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.

61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →