Deploy Sysmon with GPO

  1. First, we will place the Sysmon64.exe and sysmonconfig-export.xml in our domain Sysmon folder. This will allow us to browse to the following items just by typing in \\<domain>\SYSVOL\<domain>\Sysmon, so you could manually install from each computer. On domain controllers, this location can be created under C:\Windows\SYSVOL\sysvol\<domain>, which will be replicated to all domain controllers.
  2. The following script is just a quick Batch script that I wrote over one afternoon and tested on my test domain. We will place this in the default scripts folder for our group policy but you could also place this in the Sysmon folder that we created in step 1.
    1. Location on Domain Controller: C:\Windows\SYSVOL\sysvol\<Domain>\Policies\<PolicyUID>\MACHINE\Scripts\Startup
    2. Script:
      IF NOT EXIST "C:\sysmon" (mkdir "C:\sysmon" & copy /v "\\\SYSVOL\\Sysmon\sysmonconfig-export.xml" "C:\sysmon\sysmonconfig-export.xml")
      IF NOT EXIST "C:\Windows\Sysmon.exe" GOTO Install
      IF EXIST "C:\Windows\Sysmon.exe" GOTO StartService
      "\\\SYSVOL\\Sysmon\sysmon64.exe" -accepteula -i C:\sysmon\sysmonconfig-export.xml
      GOTO EOF
      net start Sysmon
      GOTO EOF
      END && EXIT
    3. This script starts by checking for the Sysmon config file and if it does not exist, it will create the directory C:\sysmon and copy with verification to C:\Sysmon.
    4. Then it checks if the software is installed. If it is not installed, it goes to the install script. If it is installed, it tries to start the service before exiting.
    5. The batch script above is customizable so you could modify it to update the .xml file so your deployment is always using the latest version. I will try to update this on a separate blog post when I have some time to test it.
  3. Now we will setup our default domain policy to run this script but you can create a new policy or apply to another existing one. My default domain policy applies a lot of security settings used for testing in my lab.
  4. Open Group Policy Management.
  5. Right click the policy and on the new window, expand Computer Configuration > Policies > Windows Settings > Scripts.
  6. Right click Startup and select Properties.
  7. Select Add.. and point to the script file.
  8. To verify the script is configured, open Command Prompt and run the following:
    1. gpupdate /force
    2. gpresult /h gpresult.html
    3. This will output an HTML file in the current directory for the computer and user policies. This is very helpful to verify new scripts and fix issues with group policy.
    4. For further verification, you could even reboot the computer to see if it installs Sysmon.
  9. Now that Sysmon is setup in a policy to install on computers, let’s configure WinRM to pull the logs from each of these workstations, otherwise, the logs will just be stored on the local computer.
  10. Go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Windows Remote Management.
    1. Enable the server.
    2. Set startup mode to Automatic.
  11. Next go to Computer Configuration > Poilicies > Administrative Templates > Windows Components > Event Forwarding.
    1. Enable Configure target Subscription Manager.
    2. Enter: Server=http://<ServerNameFQDN>:5985/wsman/SibscriptionManager/WEC
  12. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service. This restricts WinRM to just the specified IP.
    1. Enable Allow remote server management.
    2. Enter the IP address of the server.
  13. Wait for group policy to update and you should start to see events show up shortly. Next, I will send this data to Splunk and start indexing it to get a better idea of what is running in my test domain.