About Me

My photo
Extremely strong representation of a INTJ Myers-Briggs Temperment Indicator.

2018-06-11

Sysmon Install and Config

Sysmon Install and Config


Document created by Zac Bergart (zacbergart@gmail.com) and updated last April 7, 2018.


Overview

According to Microsoft, Sysmon stands for “System Monitor” and is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
This document will cover the following:
  • Requirements – what the necessary components are for a managed network deployment of Microsoft’s Sysmon product
  • GPO Deployment method – a minimal method of how to set up and deploy Sysmon through Active Directory GPOs and have the client computer configured for remote event collection; note: there are other ways that do “more” but here the main goal is to successfully deploy Sysmon with minimal effort and still have it a managed solution
  • Sysmon configuration – a review of things to keep in mind when creating the Sysmon configuration file

Requirements

This document is primarily focused on an environment that contains an Active Directory (AD) domain using Windows Server 2012 or later and the ability to use Group Policy Objects (GPOs). If your environment differs you will need to adjust things, ex: there are some slight changes in GPO creation between Windows Server 2012 AD domains and earlier versions of Windows AD domains requiring slightly different steps to be followed. Additionally, this document will not require a service account and if you choose to use one then you will need to adjust the instructions for that.
Lastly, there will be included in the appendix of this document a CMD file that can be used for manual configurations where Sysmon will be deployed and updated using the currently logged on user to demonstrate a method for such circumstances.
Therefore, to list the requirements for the primary method of deploying and updating Sysmon as described in this document:
  1. An account with administrative privileges in the domain
    1. Must be able to create/deploy GPOs
    2. Must be able to create/deploy files in the “NETLOGON” share
    3. Must be able to assign processes to use the NT AUTHORITY\SYSTEM account
  2. At least one Domain Controller (DC)
    1. The “NETLOGON” share requires at least default permissions applied
  3. At least one client computer
    1. This can be either a Windows workstation or a server
    2. Add this client computer to the appropriate group sited in step #4
  4. At least one group for all computers that will use the GPO for Sysmon deployment
    1. The group name should be specific to the type of GPO deployment configuration so that if there are multiple GPO configurations it is easy to manage
  5. [Optional] A event collector such as a SIEM or Windows Event Forwarding (WEF) server

Sysmon Files

Create a folder in the DC’s “NETLOGON” share for the Sysmon files; ex: \\DC\NETLOGON\Sysmon7.x for containing all Sysmon version 7 files. Note: the default drive path for the NETLOGON share for Windows Server 2012 R2 is “C:\Windows\SYSVOL\sysvol\[your-domain]\scripts”.

Download the Sysmon files (https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmon) and place them in the above folder; note: if you have downloaded the compress as is most likely, extract the files from the zip in the above folder.

 GPO Configuration

Note/Reminder: This document focuses on Windows Server 2012 and later environments; the images are specifically from a Windows Server 2012 R2 environment; if you environment is from an earlier version of Windows Server you will need to perform the equivalent actions for that version.
Note/Reminder: Always follow your company’s established Change Management process for creating, testing, and deploying
  1. Launch the “Group Policy Management” console and browse to Group Policy Management > Forest > Domains > Your-Domain > Group Policy Objects. Right-click either on the “Group Policy Objects” folder or the content pane and select “New”
  2. Provide a meaningful name
    • If you are going to have multiple GPOs for different configurations then include a configuration name to distinguish the different versions
  3. Right-click on the GPO and select “Edit”
  4. Browse to: Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
  5. Right-mouse-button click on “Scheduled Tasks” and select: New > Scheduled Task (At least Windows 7)
  6. Update the ‘General’ tab with the following
    • Action: Update
    • Name: something meaningful, recommendation is the GPO’s name
    • Description: describe what the task will do and frequency it will follow
    • Click the “Change User of Group…” button
      1. Type “System” in the text box and click on the “Check Names” button
      2. Note: if the account you are using does not have the permissions to use the NT AUTHORITY\SYSTEM you will be prompted to provide credentials that do
      3. Click the “OK” button
    • Select the radio button for “Run whether user is logged on or not”
    • Use the “Configure for:” drop-down-list to select “Windows 7, Windows Server 2008R2”
  7. The ‘General’ tab should look something like this:
  8. Update the ‘Triggers’ tab, click the “New…” button
    • Begin the task: On a schedule
    • Settings:
      • Daily
      • Start:
      • Recur every: 1 days
    • Advance Settings:
      • Repeat task every 1 hour for a duration of 1 day
      • Stop all running tasks at end of repetition duration
      • Enabled:
  9. The “Net Trigger” dialog should look something like this:
    • Note: adjust to meet your company’s specific requirements
    • Click the “OK” button
  10. Update the ‘Actions’ tab, create the following two (2) actions in this order:
    • Click the “New…” button
    • Action: Start a Program
    • Program/script: \\[your-DC]]\NETLOGON\Sysmon7.x\Sysmon.exe
      • Note: use the 64-bit version if appropriate
    • Add arguments: -accepteula -i \\[your-DC]]\NETLOGON\Sysmon7.x\config_sysmon.xml
    • This should look something like this: 
    • Click the “OK” button
    • Click the “New…” button
    • Action: Start a Program
    • Program/script: \\[your-DC]]\NETLOGON\Sysmon7.x\Sysmon.exe
      • Note: use the 64-bit version if appropriate
    • Add arguments: -c \\[your-DC]]\NETLOGON\Sysmon7.x\config_sysmon.xml
    • This should look something like this:
    • Click the “OK” button
  11. The ‘Action’ tab should look like this:
    • If the top action is not the install action (the one with the “-accepteula -i” argument) use the up/down arrows to place it at the top
  12. Update the ‘Conditions’ tab
    • Wake the computer to run this task:
    • [Optional] Start only if the following network connection is available: and select an appropriate network connection
    • Note: adjust settings to meet your company’s specific requirements
  13. The ‘Conditions’ tab should looks something like this:
  14. Update the ‘Settings’ tab:
    • Allow task to be run on demand:
    • Run task as soon as possible after a scheduled start is missed:
    • If the running task does not end when requested, force it to stop:
    • If the task is already running, then the following rule applies: Stop the existing instance
  15. The ‘Settings’ tab should looks something like this:
    • Note: adjust settings to meet your company’s specific requirements
  16. Leave the ‘Common’ tab setting default, Note: adjust settings to meet your company’s specific requirements
  17. Click the “OK” button
  18. [Recommended/Optional] Make the Sysmon events accessible to remote event collectors
    • Browse to: Computer Configuration > Preferences > Windows Settings > Registry
    • Right-mouse-button click on “Registry” and select: New > Registry Item
      • Action: Update
      • Hive: HKEY_LOCAL_MACHINE
      • Key Path: SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Sysmon/Operational
      • Value name: tick the 'Default' and leave the value empty
    • The ‘New Registry Properties’ dialog box should look like this:
  19. Close the ‘Group Policy Management Editor’
  20. In the ‘Group Policy Management’ console browse to Group Policy Management > Forest > Domains > Your-Domain > Group Policy Objects > [Name-of-your-GPO]
  21. Select the ‘Scope’ tab
    • In the “Security Filtering” section click the “Add…” button and add the group(s) you want to have this GPO applied to
  22. Select the ‘Settings’ tab and verify the settings
    • [Optional] Right-click in the content of the ‘Settings’ tab and select “Save Report…” to save a copy of the settings used for documentation purposes
  23. Right-click on your-domain and select “Link an Existing GPO…”
    • Select the Sysmon GPO you have completed and verified

Sysmon Configuration Caveat

Sysmon has a quirk with excludes:
  • If a section of the configuration includes an exclude statement it will by default monitor and trigger on everything else in that section and is effectively an “include everything but what is specifically excluded” configuration regardless of what the include statement says
  • Therefor, if you want to have Sysmon work with only specific events/actions it is better to try to do so with include statement

A sample Sysmon configuration XML is included in the appendix of this document.

Appendix

Appendix 1: Sysmon Configuration

For the sake of brevity the embedded XML object contains a sample Sysmon configuration which can also be found here: https://github.com/SwiftOnSecurity/sysmon-config

Appendix 2: CMD batch file for manual install of Sysmon

The following batch file can be used either through manual execution or scheduled task to install and update the Sysmon service. It has some unnecessary flourishes and does require the account executing it to have elevated privileges but does work. Modify it as required for your environment.

@echo off
REM Sysmon can be downloaded here:
REM https://docs.microsoft.com/en-gb/sysinternals/downloads/sysmonREM
REM A generic config can be downloaded here:
REM https://github.com/SwiftOnSecurity/sysmon-config
cls

Set SysmonSourceFiles=\\Server\Shared Folder\FolderPath\Sysmon

Echo Copying network Sysmon config file
copy /z /y "%SysmonSourceFiles%\config_sysmon.xml" %SystemRoot%

If Exist %SystemRoot%\config_sysmon.xml (goto chkprocess)

Echo Error in copying the Sysmon config to: %SystemRoot%\config_sysmon.xml
goto exitscript

REM un-remark the following command if you wish to have the script install a
REM new Sysmon.exe executable as the Sysmon service; this will force this script
REM to use the network source Sysmon.exe and thereby use the new executable
REM
REM Sysmon -u


:chkprocess
Echo Checking Sysmon process
sc query "Sysmon" >nul
If %ERRORLEVEL% EQU 0 (goto isitrunning)

:installsysmon
Echo Trying to install Sysmon
"%SysmonSourceFiles%\Sysmon.exe" /accepteula -i %SystemRoot%\config_sysmon.xml


:isitrunning
Echo Checking Sysmon process run state
sc query "Sysmon" | Find /i "Running" >nul
If %ERRORLEVEL% EQU 0 (goto updateconfig)

:startsysmon
net start Sysmon

:updateconfig
Echo.
Echo Trying to update Sysmon config
sysmon -c %SystemRoot%\config_sysmon.xml

:exitscript



Posted by
Labels:

No comments:

Post a Comment

Remember: keep it clean!

Subscribe to: Post Comments (Atom)