A PowerShell script which helps you in Sysmon Management!
Automate management and maintenance of the Sysmon tool on your Windows systems with PowerShell.
This script helps sysadmins and cyber secuirty analysts deploy and maintain the Sysmon monitoring tool from Sysinternals.
Script distribution must be done via group policy, The script automatically download the Sysmon binaries directly from the official Sysinternals web site and the configuration file from the SwiftOnSecurity template.
- Automatic download of Sysmon executables and configuration file.
- Install Sysmon if it is not installed.
- Upgrade Sysmon if the installed version does not match the latest version.
- Updates Sysmon configuration.
- Automatic control of system architecture (32/64 bit).
- Script activity logging.
It is possible to monitor the script's activities centrally through monitoring systems such as SIEM.
The script automatically creates a registry called "Sysmon Automation", the logs will be recorded within the Application section of the Event Viewer.
Tested on Windows 10 and Windows Server 2016 and later.
Problems may occur in the following cases:
- Outdated versions such as Windows Server 2012/2012 R2 (installation fail).
- Outdated versions such as Windows Server 2008/2008 R2 and earlier (system crash).
- If the OS architecture is 64-bit and the 32-bit version (Sysmon.exe) is already installed.
Modify sysmon-automation.ps1 so that $SysmonConfigURL points to a URL or path reachable by all hosts (e.g. Sysvol/Netlogon folder) containing the configuration file. By default, the script downloads the SwiftOnSecurity template.
# Change the configuration file source as needed
$SysmonConfigURL = "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml"- Open the Group Policy Management Console (
gpmc.msc), create a new GPO, and link it to an Organizational Unit with computers you want to assign the task to; - Go to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks;
- Create a new scheduled task: New -> Scheduled task (At least Windows 7);
- You will see a form similar to the standard Windows Scheduler task configuration window. Configure the settings of your task;
- On the General tab, set Action =
Create, enter the task name. Change the user to NT AUTHORITY\System. Set it to Run whether user is logged on or not, then set Run with highest privileges. - Navigate to the Triggers tab. Specify the date and time when you want to run the task. Select New -> Begin the task On a schedule -> Daily, and specify the time to start the task;
- On the Actions tab, specify a command or a script you want to run using the Task Scheduler. Configure the following task options:
Action: Start a program
Program/Script:powershell.exe
Add Arguments:-ExecutionPolicy Bypass -File \\yourdomain.internal\Netlogon\Sysmon\sysmon-automation.ps1(change the path according to your infrastructure) - Navigate to the Settings tab. Check Run task as soon as possible after a scheduled start is missed. Then click OK to save the scheduled task.
- Open the Task Scheduler (
taskschd.msc) and make sure that a new task has appeared in the Task Scheduler Library. Make sure that it is run according to the schedule.
-
Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
-
Sysmon Configuration: https://github.com/SwiftOnSecurity/sysmon-config
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See LICENSE.txt for more information.