How to install, auto-update and deploy Sysmon automatically using EventSentry's Application Scheduler

Article ID: 437
Category: Application Scheduler
Applies to: 4.1 and later
Updated: 2021-04-23

The System Monitor service & driver ("Sysmon" for short) logs various events - mostly in response to process activity that occurs on a system - to the Microsoft-Windows-Sysmon/Operational event log. Sysmon events are similar to the 4688 and 4689 events logged by Windows to the security event log when a process starts and exits. The events generated by Sysmon are significantly more detailed however, and cover other areas such as network activity, file write activity, and more.

With Sysmon enabled, users can create sophisticated event log filter rules to nefarious activity on their network. Additionally, when enabled in the Processes compliance feature, EventSentry can intercept Sysmon event id 3 which is logged when a process performs an outgoing network connection. This data is correlated with process tracking data collected from the Windows security event log and is available in the web reports. If Sysmon data is available for a process tracking entry, then a black plus icon will be shown next to the PID in the web reports. Network data detected by Sysmon can also be correlated with NetFlow data (if available). More information on EventSentry Sysmon integration can be found here).

This How-To Guide will cover setting up the Application Scheduler, which will run a script at boot time installing Sysmon if it is not already installed. Updating if there is a new version, or pushing new configuration.

Index

  1. Adding the embedded script to use with the Application Scheduler
  2. Creating, configuring & assigning the Application Scheduler package
  3. Saving the configuration

Prerequisites

  • Download Sysmon
  • Extract the files to a shared folder which is accessible on the network (Example: \\192.168.1.10\shared)
  • Ensure that all users have access to that network path (Alternatively, you can specify a user inside the script)
  • [Optional] Add a custom configuration file to the network accessible folder (We provided an example configuration file at the end of this article)
  • [Optional] Add es_sysmon_version.txt file to the network accessible folder for auto-update function

 

1. Adding Embedded script to use with the Application Scheduler

From the EventSentry Management Console, under the "Scripts" Tree menu, click on User (Embedded) (1) and then from the ribbon on top, click ADD (2). From Script Editor Windows, enter Script name (sysmon_chk.cmd in this case) (3) in content, copy-paste the script code attached here (4).

@ECHO off
:: Script to install or update sysmon. Inside the network source installation folder should be a es_sysmon_version.txt
:: Version number format: XX.XX.XXX Example: 13.00.000. First 4 digits are Sysmon version, the last 3 digits is your internal configuration
:: versioning. Increment this number for force new configuration apply to sysmon installations.

:: If files does not exist, script wont update Sysmon
setlocal enableextensions enabledelayedexpansion

:: Uncomment next line and specify IP, Share, Username and Password if you want to specify user access
:: net use \\[IP]\[Shared] /user:SomeDomain\TheUser "Password"

:: Set file server IP
set _server=192.168.1.10
:: Set folder location [Remember to add "\" at the end]
set _shared=\Shared\
:: Set custom configuration file, leave it blank for no custom config. This script will grab the config from the same shared folder of the Sysmon installer
set _customcfg=sysmon.conf
:: Set Temp folder to use
set _tempy=%systemroot%\system32\eventsentry\temp
:: Check if Sysmon service is installed
sc.exe qc Sysmon 2> nul >nul

IF %ERRORLEVEL% == 0 (
    ECHO 32bit Service Installed
    set _os_bitness=32
    GOTO update
) ELSE (
    GOTO Next64
)

:Next64
sc.exe qc Sysmon64 2> nul >nul

IF %ERRORLEVEL% == 0 (
    ECHO 64bit Service Installed
    set _os_bitness=64
    GOTO update
) ELSE (
    GOTO Install
)

:: INSTALLATION
:Install
ECHO No version detected, so installing a fresh one

:: Check OS Architecture for install
Set _os_bitness=64
IF %PROCESSOR_ARCHITECTURE% == x86 (
  ECHO 32 bit platform detected, sysmon not installed, aborting...
  EXIT /b 1
  )

:: Check Install file exist
IF EXIST \\%_server%%_shared%sysmon64.exe GOTO Install2
ECHO Sysmon64.exe [at \\%_server%%_shared%] not found in shared folder or can't access (user/credentials not valid)
EXIT /b 1

:Install2
:: Check if config file is provided
IF "%_customcfg%" == "" GOTO NoConfig
:: Check if config file exist
IF EXIST \\%_server%%_shared%%_customcfg% GOTO WithConfig
ECHO Custom Config File %_customcfg% [at \\%_server%%_shared%] not found in shared folder or can't access [user/credentials not valid]
EXIT /b 1

:NoConfig
copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul
%_tempy%\Sysmon64.exe -i -accepteula
DEL %_tempy%\Sysmon64.exe 2>NUL
EXIT /b %errorlevel%

:WithConfig
copy \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul
copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul
%_tempy%\Sysmon64.exe -i %_tempy%\%_customcfg% -accepteula
DEL %_tempy%\Sysmon64.exe 2>NUL
DEL %_tempy%\%_customcfg% 2>NUL        
EXIT /b %errorlevel%

::UPDATE
:update
IF EXIST \\%_server%%_shared%es_sysmon_version.txt GOTO UPDCont
Echo No es_sysmon_version.txt found at \\%_server%%_shared%. Not Updating. Exiting
EXIT /B 0
:UPDCont
copy \\%_server%%_shared%es_sysmon_version.txt %_tempy% 2>nul >nul
for /f "tokens=1" %%a in ('type %_tempy%\es_sysmon_version.txt') do set _SysVerInsTMP=%%a
set _SysVerIns=%_SysVerInsTMP:~0,5%
set _CFGVer=%_SysVerInsTMP:~6,9%
IF %_os_bitness% == 64 GOTO 64VersionCheck
IF NOT EXIST %SystemRoot%\Sysmon.exe (
             ECHO Sysmon service not installed on standard folder [%SystemRoot%\Sysmon.exe]. Update Cancelled
             EXIT /B 1
)
for /f "tokens=3" %%a in ('%SystemRoot%\Sysmon.exe ^|findstr "System Monitor"') do set _SysVerTMP=%%a
set _SysVerLocal=%_SysVerTMP:~1,5%
GOTO UPDCont1

:64VersionCheck
IF NOT EXIST %SystemRoot%\Sysmon64.exe (
             ECHO Sysmon64 service not installed on standard folder [%SystemRoot%\Sysmon64.exe]. Update Cancelled
             EXIT /B 1
)
for /f "tokens=3" %%a in ('%SystemRoot%\Sysmon64.exe ^|findstr "System Monitor"') do set _SysVerTMP=%%a
set _SysVerLocal=%_SysVerTMP:~1,5%

GOTO UPDCont1

:UPDCont1
:: Query Version
if %_SysVerIns% gtr %_SysVerLocal% (
    echo Sysmon Local version outdated. Updating...
    GOTO UPDCont2
) else (
    echo Sysmon Local version already at latest build [V%_SysVerIns%]
    goto CFGVer
)
:UPDCont2
IF "%_customcfg%" == "" GOTO UPDNoConfig
:: Check if config file exist
IF EXIST \\%_server%%_shared%%_customcfg% GOTO UPDWithConfig
ECHO ERR Updating: Custom Config File %_customcfg% [at \\%_server%%_shared%] not found in shared folder or can't access [user/credentials not valid]
EXIT /b 1

:UPDNoConfig
IF %_os_bitness% == 64 (
    ECHO No config file provided. Updating without config file...
    copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul
    %_tempy%\Sysmon64.exe -u force 2>nul >nul
    %_tempy%\Sysmon64.exe -i -accepteula
    DEL %_tempy%\Sysmon64.exe 2>NUL
    EXIT /b %errorlevel%
) ELSE (
    ECHO No config file provided. Updating without config file...
    copy \\%_server%%_shared%Sysmon.exe %_tempy% 2>nul >nul
    %_tempy%\Sysmon.exe -u force 2>nul >nul
    %_tempy%\Sysmon.exe -i -accepteula
    DEL %_tempy%\Sysmon.exe 2>NUL
    EXIT /b %errorlevel%
)
GOTO EOF
:UPDWithConfig
copy \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul
IF %_os_bitness% == 64 (
    ECHO Config file found. Updating with config file...
    copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul
    %_tempy%\Sysmon64.exe -u force 2>nul >nul
    %_tempy%\Sysmon64.exe -i %_tempy%\%_customcfg% -accepteula
    DEL %_tempy%\Sysmon64.exe 2>NUL
    DEL %_tempy%\%_customcfg% 2>NUL        
    EXIT /b %errorlevel%
) ELSE (
    ECHO Config file found. Updating with config file...
    copy \\%_server%%_shared%Sysmon.exe %_tempy% 2>nul >nul
    %_tempy%\Sysmon.exe -u force 2>nul >nul
    %_tempy%\Sysmon.exe -i %_tempy%\%_customcfg% -accepteula
    DEL %_tempy%\Sysmon.exe 2>NUL
    DEL %_tempy%\%_customcfg% 2>NUL            
    EXIT /b %errorlevel%
)
:CFGVer
IF EXIST %_tempy%\es_sysmon_cfg_ver.txt GOTO CFGVerCHK
:: No previous config version tracking found, creating one
ECHO %_CFGVer% >%_tempy%\es_sysmon_cfg_ver.txt
GOTO CFGUpd
:CFGVerCHK
for /f "tokens=1" %%a in ('type %_tempy%\es_sysmon_cfg_ver.txt') do set _SysCFGVer=%%a
if %_CFGVer% GTR %_SysCFGVer% GOTO CFGUpd
ECHO Local Config version Up-To-Date [V%_SysCFGVer%]
EXIT /B 0
:CFGUpd
ECHO Updating SySMon Configuration...
IF EXIST \\%_server%%_shared%%_customcfg% GOTO CFGUpdCont1
ECHO ERR - Config file not found or cant access [\\%_server%%_shared%%_customcfg%]
EXIT /b 1
:CFGUpdCont1
COPY \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul
ECHO %_CFGVer% >%_tempy%\es_sysmon_cfg_ver.txt
IF %_os_bitness% == 64 (
     "%SystemRoot%\Sysmon64.exe" -c "%_tempy%\%_customcfg%"
     EXIT /b %errorlevel% 
) ELSE (
     "%SystemRoot%\Sysmon.exe" -c "%_tempy%\%_customcfg%"
     EXIT /b %errorlevel%
)
:EOF

Note: This script will check for access to the shared path and check to see if Sysmon is already an installed service on the host. If not, it will install it. You can specify a custom configuration file to be deployed during the install or update process.

Updating the Sysmon configuration The script will look for the es_sysmon_version.txt file in the shared folder to check the version number. That file must be created and contain the version number in a 9 digit plain version number, for example 13.00.000. The first 4 digits (13.00) are used for the Sysmon version. The last 3 digits (000) will be used for configuration versioning. For example if you want to push a new configuration to all computers, just increment this last number from 000 to 001 and so on. During new installations or the update process the configuration (if it is specified) will be always updated.

Remember to replace the correct information for your network in these two lines: (5)

set _server=192.168.1.10
set _shared=\Software\Sysmon\
set _customcfg=sysmon.conf

Sysmon.exe and Sysmon64.exe should be available in the provided network path.

Click OK (6)

Adding Embedded Script

2. Creating, configuring and assigning the Application Scheduler Package

Now that the Embedded script is created, a "System Health > Application Schedule" Package must be created and assigned to all hosts that need to have Sysmon installed.

Under "Packages," right-click "System Health" (1), and click "Add Package" (2), "Sysmon Check" is used for the package name in this guide. Right-click on the newly created package (3) and then click "Add" (4), then Application Scheduler (5).

Creating Application Scheduler Package

In the "Application Schedule" window, click on "+" (1). In the "Add Application Schedule" window, select "At Boot" (2), or you can schedule a specific time. In the "Process" section, select "sysmon_chk.cmd" from the filename dropdown (the newly created embedded script) (3). Click on OK to finish configuring the new Application Scheduler (4).

Configuring Application Scheduler Package

Assign the newly created package to any computers/servers you want EventSentry to install Sysmon on. To do so, right-click the new package ("Sysmon Check" in this guide) (1) and then click on "Assign" (2). From the "Apply Package To..." window, select the computers/groups that you want to assign this package to., (3) then click OK (4).

Assigning Application Scheduler Package

3. Saving the configuration

From the top menu, click Home (1) and either click the "Save" or "Save & Deploy" icon (2). It may be necessary to manually push the configuration if the collector is not in use. The remote agents usually get the new configuration in a couple of minutes. Once Sysmon is installed on the remote host(s), you'll find the data collected in the web reports under "Network > Processes > Sysmon."

Save Configuration.

Example configuration file

Attached here is a security focused Sysmon configuration file that can be downloaded and used with this script: