Introduction
The attacker was already inside. A reverse shell was open, a flag file had been stolen, and Windows Defender was quietly switched off. But none of that happened in silence — Sysmon was watching the entire time.
In this post I'm breaking down exactly how I detected a live Meterpreter C2 session using only Sysmon telemetry during a Red vs Blue simulation I ran in my home lab. No fancy EDR. No threat intel feed. Just Sysmon event logs and knowing what to look for.
The Setup
Two VMs. One goal. Break in and steal the flag — then switch sides and figure out what the logs recorded.
