How to install & deploy Sysmon automatically using EventSentry's Application Scheduler

Article ID: 437
Category: Application Scheduler
Applies to: 4.1 and later
Updated: 2020-10-07

The System Monitor service & driver ("Sysmon" for short) logs various events - mostly in response to process activity that occurs on a system - to the Microsoft-Windows-Sysmon/Operational event log. Sysmon events are similar to the 4688 and 4689 events logged by Windows to the security event log when a process starts and exits. The events generated by Sysmon are significantly more detailed however, and cover other areas such as network activity, file write activity, and more.

With Sysmon enabled, users can create sophisticated event log filter rules to nefarious activity on their network. Additionally, when enabled in the Processes compliance feature, EventSentry can intercept Sysmon event id 3 which is logged when a process performs an outgoing network connection. This data is correlated with process tracking data collected from the Windows security event log and is available in the web reports. If Sysmon data is available for a process tracking entry, then a black plus icon will be shown next to the PID in the web reports. Network data detected by Sysmon can also be correlated with NetFlow data (if available). More information on EventSentry Sysmon integration can be found here).

This How-To Guide will cover setting up the Application Scheduler, which will run a script at boot time installing Sysmon if it is not already installed.

Index

  1. Adding the embedded script to use with the Application Scheduler
  2. Creating, configuring & assigning the Application Scheduler package
  3. Saving the configuration

Prerequisites

  • Download Sysmon
  • Extract the files to a shared folder which is accessible on the network (Example: \\192.168.1.10\shared)
  • Ensure that all users have access to that network path (Alternatively, you can specify a user inside the script)

 

1. Adding Embedded script to use with the Application Scheduler

From the EventSentry Management Console, under the "Scripts" Tree menu, click on User (Embedded) (1) and then from the ribbon on top, click ADD (2). From Script Editor Windows, enter Script name (sysmon_chk.cmd in this case) (3) in content, copy-paste the script code attached here (4).

@ECHO off
setlocal enableextensions enabledelayedexpansion

:: Uncomment next line and specify IP, Share, Username and Password if you want to specify user access
:: net use \\[IP]\[Shared] /user:SomeDomain\TheUser "Password"

:: Set file server IP
set _server=192.168.1.10
:: Set folder location
set _shared=\Software\sysmon
:: Check if Sysmon service is installed
sc.exe qc Sysmon 2> nul >nul

IF %ERRORLEVEL% == 0 (
    ECHO 32bit Service Installed
    EXIT /b 0
) ELSE (
    GOTO Next64
)

:Next64
sc.exe qc Sysmon64 2> nul >nul

IF %ERRORLEVEL% == 0 (
    ECHO 64bit Service Installed
    EXIT /b 0
) ELSE (
    GOTO Install
)

:Install
:: Check IP is UP

for /f "tokens=5,6,7" %%a in ('ping -n 1 %_server%') do (
    if "x%%b"=="xunreachable." goto DOWN
    if "x%%a"=="xReceived" if "x%%c"=="x1,"  goto UP
)

:DOWN
ECHO Server Down.
EXIT /b 1

:UP
::Check OS Architecture for install
Set _os_bitness=64
IF %PROCESSOR_ARCHITECTURE% == x86 (
  IF NOT DEFINED PROCESSOR_ARCHITEW6432 Set _os_bitness=32
  )

:: Check Install file exist
IF %_os_bitness% == 64 (
    IF EXIST \\%_server%%_shared%sysmon64.exe GOTO Install2
    ECHO Sysmon64.exe [at \\%_server%%_shared%] not found in shared folder or can't access (user/credentials not valid)
    EXIT /b 1
) ELSE (
    IF EXIST \\%_server%%_shared%sysmon.exe GOTO Install2
    ECHO Sysmon.exe [at \\%_server%%_shared%] not found in shared folder or can't access (user/credentials not valid)
    EXIT /b 1   
)

:Install2
IF %_os_bitness% == 64 (
    copy \\%_server%%_shared%Sysmon64.exe %temp%
    %temp%\Sysmon64.exe -i -accepteula
    EXIT /b %errorlevel%
) ELSE (
    copy \\%_server%%_shared%Sysmon.exe %temp%
    %temp%\Sysmon.exe -i -accepteula
    EXIT /b %errorlevel%
)

Note: This script will check for access to the shared path and check to see if Sysmon is already an installed service on the host. If not, it will check the OS architecture and run the respective installer (Sysmon or Sysmon64) to install Sysmon.

Remember to replace the correct information for your network on these two lines: (5)

set _server=192.168.1.10
set _shared=\Software\Sysmon\

Sysmon.exe and Sysmon64.exe should be available in the provided network path.

Click OK (6)

Adding Embedded Script

2. Creating, configuring and assigning the Application Scheduler Package

Now that the Embedded script is created, a "System Health > Application Schedule" Package must be created and assigned to all hosts that need to have Sysmon installed.

Under "Packages," right-click "System Health" (1), and click "Add Package" (2), "Sysmon Check" is used for the package name in this guide. Right-click on the newly created package (3) and then click "Add" (4), then Application Scheduler (5).

Creating Application Scheduler Package

In the "Application Schedule" window, click on "+" (1). In the "Add Application Schedule" window, select "At Boot" (2), or you can schedule a specific time. In the "Process" section, select "sysmon_chk.cmd" from the filename dropdown (the newly created embedded script) (3). Click on OK to finish configuring the new Application Scheduler (4).

Configuring Application Scheduler Package

Assign the newly created package to any computers/servers you want EventSentry to install Sysmon on. To do so, right-click the new package ("Sysmon Check" in this guide) (1) and then click on "Assign" (2). From the "Apply Package To..." window, select the computers/groups that you want to assign this package to., (3) then click OK (4).

Assigning Application Scheduler Package

3. Saving the configuration

From the top menu, click Home (1) and either click the "Save" or "Save & Deploy" icon (2). It may be necessary to manually push the configuration if the collector is not in use. The remote agents usually get the new configuration in a couple of minutes. Once Sysmon is installed on the remote host(s), you'll find the data collected in the web reports under "Network > Processes > Sysmon."

Save Configuration.