The System Monitor service & driver ("Sysmon" for short) logs various events - mostly in response to process activity that occurs on a system - to the Microsoft-Windows-Sysmon/Operational event log. Sysmon events are similar to the 4688 and 4689 events logged by Windows to the security event log when a process starts and exits. The events generated by Sysmon are significantly more detailed however, and cover other areas such as network activity, file write activity, and more.
With Sysmon enabled, users can create sophisticated event log filter rules to nefarious activity on their network. Additionally, when enabled in the Processes compliance feature, EventSentry can intercept Sysmon event id 3 which is logged when a process performs an outgoing network connection. This data is correlated with process tracking data collected from the Windows security event log and is available in the web reports. If Sysmon data is available for a process tracking entry, then a black plus icon will be shown next to the PID in the web reports. Network data detected by Sysmon can also be correlated with NetFlow data (if available). More information on EventSentry Sysmon integration can be found here).
This How-To Guide will cover setting up the Application Scheduler, which will run a script at boot time installing Sysmon if it is not already installed. Updating if there is a new version, or pushing new configuration.
From the EventSentry Management Console, under the "Scripts" Tree menu, click on User (Embedded) (1) and then from the ribbon on top, click ADD (2). From Script Editor Windows, enter Script name (sysmon_chk.cmd in this case) (3) in content, copy-paste the script code attached here (4).
Note: You can also grab the script form our Github repository Here
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 |
@ECHO off :: Script to install or update sysmon. Inside the network source installation folder should be a es_sysmon_version.txt :: Version number format: XX.XX.XXX Example: 13.00.000. First 4 digits are Sysmon version, the last 3 digits is your internal configuration :: versioning. Increment this number for force new configuration apply to sysmon installations. :: If files does not exist, script wont update Sysmon setlocal enableextensions enabledelayedexpansion :: Uncomment next line and specify IP, Share, Username and Password if you want to specify user access net use \\192.168.1.20\tools\sysmon /d net use \\192.168.1.20\tools\sysmon "1Xp5zx45fZ214BxAjeZFdWIV" /user:yourdomain\eventsentry_sysmon :: Set file server IP set _server=192.168.1.20 :: Set folder location [Remember to add "\" at the end] set _shared=\tools\sysmon\ :: Set custom configuration file, leave it blank for no custom config. This script will grab the config from the same shared folder of the Sysmon installer set _customcfg=sysmon.conf :: Set Temp folder to use set _tempy=%systemroot%\system32\eventsentry\temp :: Check if Sysmon service is installed sc.exe qc Sysmon 2> nul >nul IF %ERRORLEVEL% == 0 ( ECHO 32bit Service Installed set _os_bitness=32 GOTO update ) ELSE ( GOTO Next64 ) :Next64 sc.exe qc Sysmon64 2> nul >nul IF %ERRORLEVEL% == 0 ( ECHO 64bit Service Installed set _os_bitness=64 GOTO update ) ELSE ( GOTO Install ) :: INSTALLATION :Install ECHO No version detected, so installing a fresh one :: Check OS Architecture for install Set _os_bitness=64 IF %PROCESSOR_ARCHITECTURE% == x86 ( ECHO 32 bit platform detected, sysmon not installed, aborting... EXIT /b 1 ) :: Check Install file exist IF EXIST \\%_server%%_shared%sysmon64.exe GOTO Install2 ECHO Sysmon64.exe [at \\%_server%%_shared%] not found in shared folder or can't access (user/credentials not valid) EXIT /b 1 :Install2 :: Check if config file is provided IF "%_customcfg%" == "" GOTO NoConfig :: Check if config file exist IF EXIST \\%_server%%_shared%%_customcfg% GOTO WithConfig ECHO Custom Config File %_customcfg% [at \\%_server%%_shared%] not found in shared folder or can't access [user/credentials not valid] EXIT /b 1 :NoConfig copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul %_tempy%\Sysmon64.exe -i -accepteula DEL %_tempy%\Sysmon64.exe 2>NUL EXIT /b %errorlevel% :WithConfig copy \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul %_tempy%\Sysmon64.exe -i %_tempy%\%_customcfg% -accepteula DEL %_tempy%\Sysmon64.exe 2>NUL DEL %_tempy%\%_customcfg% 2>NUL EXIT /b %errorlevel% ::UPDATE :update IF EXIST \\%_server%%_shared%es_sysmon_version.txt GOTO UPDCont Echo No es_sysmon_version.txt found at \\%_server%%_shared%. Not Updating. Exiting EXIT /B 0 :UPDCont copy \\%_server%%_shared%es_sysmon_version.txt %_tempy% 2>nul >nul for /f "tokens=1" %%a in ('type %_tempy%\es_sysmon_version.txt') do set _SysVerInsTMP=%%a set _SysVerIns=%_SysVerInsTMP:~0,5% set _CFGVer=%_SysVerInsTMP:~6,9% IF %_os_bitness% == 64 GOTO 64VersionCheck IF NOT EXIST %SystemRoot%\Sysmon.exe ( ECHO Sysmon service not installed on standard folder [%SystemRoot%\Sysmon.exe]. Update Cancelled EXIT /B 1 ) for /f "tokens=3" %%a in ('%SystemRoot%\Sysmon.exe ^|findstr "System Monitor"') do set _SysVerTMP=%%a set _SysVerLocal=%_SysVerTMP:~1,5% GOTO UPDCont1 :64VersionCheck IF NOT EXIST %SystemRoot%\Sysmon64.exe ( ECHO Sysmon64 service not installed on standard folder [%SystemRoot%\Sysmon64.exe]. Update Cancelled EXIT /B 1 ) for /f "tokens=3" %%a in ('%SystemRoot%\Sysmon64.exe ^|findstr "System Monitor"') do set _SysVerTMP=%%a set _SysVerLocal=%_SysVerTMP:~1,5% GOTO UPDCont1 :UPDCont1 :: Query Version if %_SysVerIns% gtr %_SysVerLocal% ( echo Sysmon Local version outdated. Updating... GOTO UPDCont2 ) else ( echo Sysmon Local version already at latest build [V%_SysVerIns%] goto CFGVer ) :UPDCont2 IF "%_customcfg%" == "" GOTO UPDNoConfig :: Check if config file exist IF EXIST \\%_server%%_shared%%_customcfg% GOTO UPDWithConfig ECHO ERR Updating: Custom Config File %_customcfg% [at \\%_server%%_shared%] not found in shared folder or can't access [user/credentials not valid] EXIT /b 1 :UPDNoConfig IF %_os_bitness% == 64 ( ECHO No config file provided. Updating without config file... copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul %_tempy%\Sysmon64.exe -u force 2>nul >nul %_tempy%\Sysmon64.exe -i -accepteula DEL %_tempy%\Sysmon64.exe 2>NUL EXIT /b %errorlevel% ) ELSE ( ECHO No config file provided. Updating without config file... copy \\%_server%%_shared%Sysmon.exe %_tempy% 2>nul >nul %_tempy%\Sysmon.exe -u force 2>nul >nul %_tempy%\Sysmon.exe -i -accepteula DEL %_tempy%\Sysmon.exe 2>NUL EXIT /b %errorlevel% ) GOTO EOF :UPDWithConfig copy \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul IF %_os_bitness% == 64 ( ECHO Config file found. Updating with config file... copy \\%_server%%_shared%Sysmon64.exe %_tempy% 2>nul >nul %_tempy%\Sysmon64.exe -u force 2>nul >nul %_tempy%\Sysmon64.exe -i %_tempy%\%_customcfg% -accepteula DEL %_tempy%\Sysmon64.exe 2>NUL DEL %_tempy%\%_customcfg% 2>NUL EXIT /b %errorlevel% ) ELSE ( ECHO Config file found. Updating with config file... copy \\%_server%%_shared%Sysmon.exe %_tempy% 2>nul >nul %_tempy%\Sysmon.exe -u force 2>nul >nul %_tempy%\Sysmon.exe -i %_tempy%\%_customcfg% -accepteula DEL %_tempy%\Sysmon.exe 2>NUL DEL %_tempy%\%_customcfg% 2>NUL EXIT /b %errorlevel% ) :CFGVer IF EXIST %_tempy%\es_sysmon_cfg_ver.txt GOTO CFGVerCHK :: No previous config version tracking found, creating one ECHO %_CFGVer% >%_tempy%\es_sysmon_cfg_ver.txt GOTO CFGUpd :CFGVerCHK for /f "tokens=1" %%a in ('type %_tempy%\es_sysmon_cfg_ver.txt') do set _SysCFGVer=%%a if %_CFGVer% GTR %_SysCFGVer% GOTO CFGUpd ECHO Local Config version Up-To-Date [V%_SysCFGVer%] EXIT /B 0 :CFGUpd ECHO Updating SySMon Configuration... IF EXIST \\%_server%%_shared%%_customcfg% GOTO CFGUpdCont1 ECHO ERR - Config file not found or cant access [\\%_server%%_shared%%_customcfg%] EXIT /b 1 :CFGUpdCont1 COPY \\%_server%%_shared%%_customcfg% %_tempy% 2>nul >nul ECHO %_CFGVer% >%_tempy%\es_sysmon_cfg_ver.txt IF %_os_bitness% == 64 ( "%SystemRoot%\Sysmon64.exe" -c "%_tempy%\%_customcfg%" EXIT /b %errorlevel% ) ELSE ( "%SystemRoot%\Sysmon.exe" -c "%_tempy%\%_customcfg%" EXIT /b %errorlevel% ) :EOF :: Dismounting net use \\172.21.2.60\tools\sysmon /d |
Note: This script will check for access to the shared path and check to see if Sysmon is already an installed service on the host. If not, it will install it. You can specify a custom configuration file to be deployed during the install or update process.
Updating the Sysmon configuration The script will look for the es_sysmon_version.txt file in the shared folder to check the version number. That file must be created and contain the version number in a 9 digit plain version number, for example 13.00.000. The first 4 digits (13.00) are used for the Sysmon version. The last 3 digits (000) will be used for configuration versioning. For example if you want to push a new configuration to all computers, just increment this last number from 000 to 001 and so on. During new installations or the update process the configuration (if it is specified) will be always updated.
Remember to replace the correct information for your network in these two lines: (5)
set _server=192.168.1.10
set _shared=\Software\Sysmon\
set _customcfg=sysmon.conf
Sysmon.exe and Sysmon64.exe should be available in the provided network path.
Click OK (6)
Adding Embedded Script
Now that the Embedded script is created, a "System Health > Application Schedule" Package must be created and assigned to all hosts that need to have Sysmon installed.
Under "Packages," right-click "System Health" (1), and click "Add Package" (2), "Sysmon Check" is used for the package name in this guide. Right-click on the newly created package (3) and then click "Add" (4), then Application Scheduler (5).
Creating Application Scheduler Package
In the "Application Schedule" window, click on "+" (1). In the "Add Application Schedule" window, select "At Boot" (2), or you can schedule a specific time. In the "Process" section, select "sysmon_chk.cmd" from the filename dropdown (the newly created embedded script) (3). Click on OK to finish configuring the new Application Scheduler (4).
Configuring Application Scheduler Package
Assign the newly created package to any computers/servers you want EventSentry to install Sysmon on. To do so, right-click the new package ("Sysmon Check" in this guide) (1) and then click on "Assign" (2). From the "Apply Package To..." window, select the computers/groups that you want to assign this package to., (3) then click OK (4).
Assigning Application Scheduler Package
From the top menu, click Home (1) and either click the "Save" or "Save & Deploy" icon (2). It may be necessary to manually push the configuration if the collector is not in use. The remote agents usually get the new configuration in a couple of minutes. Once Sysmon is installed on the remote host(s), you'll find the data collected in the web reports under "Network > Processes > Sysmon."
Save Configuration.
Attached here is a security focused Sysmon configuration file that can be downloaded and used with this script: