Below is the script that I have been working on to install Sysmon through group policy so you do not have to install it on each workstation/server. I hope to make a few more modifications around updating the .xml file or creating a separate script. The guide for this should be coming over the next week or two and will tie into our WEF deployment guide. From there we will export the logs from our WEF server to Splunk for easier manipulation of the data. To use the script, just replace the <<DOMAIN>> with your domain/file location.
IF NOT EXIST "C:\sysmon" (mkdir "C:\sysmon" & copy /v "\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmonconfig-export.xml" "C:\sysmon\sysmonconfig-export.xml") IF NOT EXIST "C:\Windows\Sysmon.exe" GOTO Install IF EXIST "C:\Windows\Sysmon.exe" GOTO StartService :Install "\\<<DOMAIN>>\SYSVOL\<<DOMAIN>>\Sysmon\sysmon64.exe" -accepteula -i C:\sysmon\sysmonconfig-export.xml GOTO EOF :StartService net start Sysmon GOTO EOF :EOF END && EXIT