Deploying Sysmon through GPO

Note: If you need to zoom in, you can click on the image.

Files needed:

Sysmon

You can download sysmon using this link: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon Config

You can find the sysmon config here: https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml

Deploy_sysmon bat file

We will be using a bat file that allow us to install sysmon on the workstation. Below is the script. Later we will edit this script.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

copy /z /y "\\domain.com\apps\config.xml" "C:\"
copy /z /y "\\domain.com\apps\config.xml" "C:\"
sysmon -c c:\windows\config.xml

sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
sc start Sysmon

If "%ERRORLEVEL%" EQU "1" (
goto installsysmon
)
:installsysmon
"c:\sysmon.exe" /accepteula -i c:\sysmonconfig.xml

or you can check the following link: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/

This is what you should have:

Create a User Group

Open Server Manager -> Active Directory Users and Computers. Right click on Users -> New -> Group -> Name it anything you want. I will name mine auto-tool. After the group is created, right click it and go to Properties.

Once you’re in the properties panel click on Members and click add. Now, what we are trying to do is add our workstation into the group. Let click on Object Types and select only “Computers”. Now we are going to enter the computer name and click Apply.

Share the folder

Right click on Sysmon and click on Properties. Click on Sharing and click Share… Then click on “Find People” and type the group we recently created.

Edit our Script

This is our original script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

copy /z /y "\\domain.com\apps\config.xml" "C:\"
copy /z /y "\\domain.com\apps\config.xml" "C:\"
sysmon -c c:\windows\config.xml

sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
sc start Sysmon

If "%ERRORLEVEL%" EQU "1" (
goto installsysmon
)
:installsysmon
"c:\sysmon.exe" /accepteula -i c:\sysmonconfig.xml

Here are the changes: Replace “\\domain.com\apps\config.xml” with \\DOMAIN-NAME\Sysmon\sysmonconfig.xml
Replace “\\domain.com\apps\config.xml” with “\\MONOCHIP-DC1\Sysmon\sysmon.exe” “C:\”
Replace c:\windows\config.xml with c:\sysmonconfig.xml

This is what you should have:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

copy /z /y "\\MONOCHIP-DC1\Sysmon\sysmonconfig.xml" "C:\"
copy /z /y "\\MONOCHIP-DC1\Sysmon\sysmon.exe" "C:\"
sysmon -c c:\sysmonconfig.xml

sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
sc start Sysmon

If "%ERRORLEVEL%" EQU "1" (
goto installsysmon
)
:installsysmon
"c:\sysmon.exe" /accepteula -i c:\sysmonconfig.xml

Create a GPO

In Server Manager -> Tools -> Group Policy Management. Right click on our domain and click on “Create a GPO in this domain, and Link it here…”. Then it will ask you to create a GPO with the name. I will name mine: “DeploySysmon”.

Once we created the GPO, we will focus our attention on “Security Filtering” and click “Add” and we will put in the group we just recently created.

Edit the GPO

Now, let’s right click on the GPO and click edit. Computer Configuration -> Preferences -> Control Panel Setting -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7). Now copy your task just like what I have.

Now, let go to “triggers” section -> New. Copy the setting that I have.

Let’s move on to Settings. Copy the settings below.

Moving to Client-Side

On the workstation, I’m going to login as the Domain Admin.