Are you running sysmon? Do you know what it is? Do you know how much it costs? Most of us don’t know the answers to these questions unless we’ve really dived deeply into the logging capabilities of Windows and realized it was lacking something.
What is sysmon?
Sysmon gives us the ability see everything that’s going on with a Windows desktop or server without purchasing additional tools. If you ask Microsoft what sysmon does, they will tell you…
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Essentially sysmon is Windows logging on steroids. There is a catch though.. no, it’s not the price. The price is zero. It’s the configuration of sysmon. Out of the box, it can be loud and parsing through data might be difficult for the average IT company.
SwiftOnSecurity to the Rescue!
A few years ago, some very kind souls wanted to help the rest of us out with a configuration file that could be used with sysmon to identify the bad guys and the things they might be doing on your computer. Thank you SwiftOnSecurity!
Sysmon configuration file template with default high-quality event tracing.
If you’re looking at deploying sysmon, I highly suggest using their config or one of the many forks of these project.
How can we deploy this quickly??
If you’d like to quickly get this on your or your client’s environment, I have some good news for you! I’ve worked on a PowerShell script that can help you accomplish this task.
<#
.SYNOPSIS
Install-Sysmon downloads the Sysmon executables archive and installs Sysmon64.exe
with a configuration file.
#>
#A few variables
$ServiceName = 'Sysmon64'
$sysmon64installed = Get-Service -Name $ServiceName
$path=$env:TEMP # This will use the temporary folder for the user running it.
#You may modify this URL to point to where you have your XML config.
$sysmonconfigurl = 'https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml'
#Test path and create it if required
if(!(test-path $path))
{
Write-Information -MessageData "Path does not exist. Creating Path..." -InformationAction Continue;
New-Item -ItemType Directory -Force -Path $path | Out-Null;
Write-Information -MessageData "...Complete" -InformationAction Continue
}
#Checking to see if the sysmon64 service is running.
if ($sysmon64installed.Status -eq 'Running'){
Set-Location $path
Write-Host "Retrieving and Updating Configuration File..."
Invoke-WebRequest -Uri $sysmonconfigurl -Outfile sysmonconfig-export.xml
Start-Process -NoNewWindow -FilePath "$env:SystemRoot\sysmon64.exe" -ArgumentList "-c sysmonconfig-export.xml"
Write-Host "Configuration updated!"
Exit 0}
Set-Location $path
Write-Host "Location set $path"
Write-Host "Retrieving Sysmon..."
$exists = test-path $path\sysmon.zip
if ($exists -eq $true) {
Write-Host "Cleaning up old files"
Remove-Item $path\sysmon.zip -Force
Remove-Item $path\sysmon -Force -Recurse}
#Set tls version 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -Outfile Sysmon.zip
Write-Host "Sysmon Retrived"
Write-Host "Unzip Sysmon..."
Expand-Archive Sysmon.zip
Set-Location $path\Sysmon
Write-Host "Unzip Complete."
Write-Host "Retrieving Configuration File..."
Invoke-WebRequest -Uri $sysmonconfigurl -Outfile sysmonconfig-export.xml
Write-Host "Configuration File Retrieved."
Write-Host "Installing Sysmon..."
.\sysmon64.exe -accepteula -i sysmonconfig-export.xml
Write-Host "Sysmon Installed!"This script can also be found on my github repo.
