In this chapter we will:
- Setup a GPO or SCCM job to deploy Sysmon across your clients.
Sysmon is a Windows service from Microsoft which logs Windows activity to event logs, based on settings defined in an XML configuration file.
By following this guide and using Sysmon, you are agreeing to the following EULA. Please read this before continuing. https://docs.microsoft.com/en-us/sysinternals/license-terms
LME supports either GPO or SCCM Deployment. It is your choice which of these you use, but you should not use both.
Group Policy Object (GPO) deployment involves creating a 'scheduled task' that will periodically connect to a network folder location and run update.bat to install Sysmon or modify an existing installation.
Using Microsoft Group Policy to deploy LME requires two main things:
- A location to host the configuration and executables.
- A Group Policy Object (GPO) to create a scheduled task.
A centralised network folder accessible by all machines that are going to be running Sysmon is needed. We suggest inside the sysvol directory as a suitable place since this is configured by default to have very restricted write permissions. It is extremely important that the folder contents cannot be modified by users, hence recommending Sysvol folder.
You will need to download the below files and copy them to an appropriate location such as sysvol located at \\%YourDomainName%\sysvol\%YourDomainName%\Sysmon
- Sysmon64.exe - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- sigcheck64.exe - https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
- sysmon.xml -
- Either Olaf Hartong's Modular Sysmon or SwiftOnSecurity's Sysmon config are the recommended Sysmon configuration (pick one).
- Using the SwiftOnSecurity XML will ensure the best compatibility with the pre-made dashboards, while Olaf Hartong's modular XML will collect additional data and may be suitable when more robust monitoring is required.
- These configuration options are a good starting point, but more advanced users will benefit from customisation to include/exclude events.
- You will need to rename the downloaded file to sysmon.xml.
- update.bat - From Our GIT (Based on work by Ryan Watson & Syspanda.com)
Looking in the sysvol folder you should now be able to see similar to below.
Figure 5: Sysvol File Layout
This section sets up a scheduled task to run update.bat (stored on a network folder), distributed through Group Policy.
Import the LME-Sysmon-Task GPO into group policy management and link the object to a test Organisational Unit (OU). Once the GPO is confirmed as working in your environment then you can link the GPO to a larger OU to deploy LME further.
- Open up group policy management editor
- Edit the Lme-Sysmon-Task GPO
- Change the setting for the batch file network location by navigating to:
Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks\lme-sysmon-deploy\Actionsand then select"Start a program" > Edit > Change the Location.
For example \\testme.local\SYSVOL\testme.local\Sysmon\update.bat
Whilst SCCM deployment is not usually the first choice for the deployment of Sysmon we have included an example install and uninstall PowerShell along with a detection criteria that works with SCCM. Files for this portion of the tutorial can be found here
Install Program:
powershell.exe -Executionpolicy unrestricted -file Install_Sysmon64.ps1
Uninstall program:
powershell.exe -Executionpolicy unrestricted -file Uninstall_Sysmon64.ps1
“Detection method”: File exists - C:\Windows\sysmon64.exe
- Do you have the Sysmon service running on a sample of the clients?
- Is the Sysmon Eventlog showing data? (It’s located in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational)
- Are you seeing Sysmon logs in the Forwarded Events folder on the Windows Event Collector box?