26 Dec 2024 5 min read

Deploying Sysmon via GPO

While I explained in my previous article how to collect Windows Event Logs which already provide some valuable insights, it is fair to say that they often lack the depth needed for effective threat detection and analysis. This is why deploying Sysmon is the next step in advanced threat hunting.

Sysmon Overview

Sysmon is both a Windows system service and a driver from Microsoft SysInternals that monitors and logs detailed system activity, such as process creation, network connections, and file creation time changes, even across reboots. Events are logged in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational which you can view in the EventViewer.

Sysmon uses a configuration file to define how events are analyzed. High-quality configurations, like those from SwiftOnSecurity or the ION-Storm fork, can be readily downloaded and used out of the box. By examining the configuration file, you can see how each event is captured, including the criteria for inclusion or exclusion to minimize noise and prioritize relevant data. Sysmon supports 29 distinct Event IDs, each representing a specific event type, allowing for flexible and customizable monitoring strategies.

Deployment Overview

The deployment consists of the following components:

Network Share - A centralised network folder accessible by all machines that are going to be running Sysmon is needed. The sysvol directory is recommended as it has by default very restricted write permissions. It is extremely important that the folder content cannot be modified by users, hence recommending Sysvol folder.
- Sysmon64.exe - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- sigcheck64.exe - https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
- sysmon.xml - Using the SwiftOnSecurity or ION-Storm XML
- install_sysmon.ps1

$fqdn = (Get-WmiObject Win32_ComputerSystem).Domain

$SYSMONDIR = "C:\windows\sysmon"
$SYSMONBIN = "Sysmon64.exe"
$SYSMONCONF = "sysmon.xml"
$SIGCHECK = "sigcheck64.exe"

$GLBSYSMONBIN = "\\$fqdn\sysvol\$fqdn\Sysmon\$SYSMONBIN"
$GLBSYSMONCONFIG = "\\$fqdn\sysvol\$fqdn\Sysmon\$SYSMONCONF"
$GLBSIGCHECK = "\\$fqdn\sysvol\$fqdn\Sysmon\$SIGCHECK"

$continue = $true

while ($continue) {
    $sysmonStatus = Get-Service -Name "Sysmon64" -ErrorAction SilentlyContinue
    if ($sysmonStatus.Status -ne 'Running') {
        if ($sysmonStatus -eq $null) {
            if (!(Test-Path -Path $SYSMONDIR)) {
                New-Item -ItemType Directory -Path $SYSMONDIR
            }
            Copy-Item -Path $GLBSYSMONBIN -Destination $SYSMONDIR -Force
            Copy-Item -Path $GLBSYSMONCONFIG -Destination $SYSMONDIR -Force
            Copy-Item -Path $GLBSIGCHECK -Destination $SYSMONDIR -Force
            Set-Location -Path $SYSMONDIR
            & .\$SYSMONBIN -i $SYSMONCONF -accepteula
            Set-Service -Name "Sysmon64" -StartupType Automatic
        } else {
            Start-Service -Name "Sysmon64"
        }
    } 
    
    Set-Location -Path $SYSMONDIR
    Remove-Item -Path "$SYSMONDIR\*.txt" -Force -ErrorAction SilentlyContinue
    if (!(Test-Path -Path $SIGCHECK)) {
        Copy-Item -Path $GLBSIGCHECK -Destination $SYSMONDIR -Force
    }
    & .\$SIGCHECK -n -nobanner /accepteula $SYSMONBIN > "$SYSMONDIR\runningver.txt"
    & .\$SIGCHECK -n -nobanner /accepteula $GLBSYSMONBIN > "$SYSMONDIR\latestver.txt"
    $runningver = Get-Content "$SYSMONDIR\runningver.txt"
    $latestver = Get-Content "$SYSMONDIR\latestver.txt"
    Write-Host "Currently running sysmon: $runningver"
    Write-Host "Latest sysmon is: $latestver at $GLBSYSMONBIN"
    
    if ($runningver -ne $latestver) {
        Set-Location -Path $SYSMONDIR
        & .\$SYSMONBIN -u
        if (!(Test-Path -Path $SYSMONDIR)) {
            New-Item -ItemType Directory -Path $SYSMONDIR
        }
        Copy-Item -Path $GLBSYSMONBIN -Destination $SYSMONDIR -Force
        Copy-Item -Path $GLBSYSMONCONFIG -Destination $SYSMONDIR -Force
        Copy-Item -Path $GLBSIGCHECK -Destination $SYSMONDIR -Force
        Set-Location -Path $SYSMONDIR
        & .\$SYSMONBIN -i $SYSMONCONF -accepteula
        Set-Service -Name "Sysmon64" -StartupType Automatic
    } else {
        Remove-Item -Path "runningconfver.txt", "latestconfver.txt" -Force -ErrorAction SilentlyContinue
        if (!(Test-Path -Path $SIGCHECK)) {
            Copy-Item -Path $GLBSIGCHECK -Destination $SYSMONDIR -Force
        }
        & .\$SIGCHECK -h -c -nobanner /accepteula $SYSMONCONF > "$SYSMONDIR\runningconfver.txt"
        & .\$SIGCHECK -h -c -nobanner /accepteula $GLBSYSMONCONFIG > "$SYSMONDIR\latestconfver.txt"
        $runningconfver = (Get-Content "$SYSMONDIR\runningconfver.txt" | Select-Object -Skip 1 | Select-Object -First 1).Split(",")[10]
        $latestconfver = (Get-Content "$SYSMONDIR\latestconfver.txt" | Select-Object -Skip 1 | Select-Object -First 1).Split(",")[10]
        
        if ($runningconfver -ne $latestconfver) {
            Copy-Item -Path $GLBSYSMONCONFIG -Destination $SYSMONCONF -Force
            & .\$SYSMONBIN -c $SYSMONCONF
        }
        Restart-Service -Name "Sysmon64"
    }
    
    $continue = $false
}

Credits to Ryan Watson, Syspanda.com, and the NCSC UK from which this script was adapted from.

Group Policy Object - A GPO deployment involves creating a 'Scheduled Task' that will periodically connect to the Sysvol network folder location and run install_sysmon.ps1 to install Sysmon or modify an existing installation.

Download the latest Sysmon (Sysmon64.exe) and SigCheck binaries from the Sysinternals suite.
Place the files (Sysmon64.exe, sigcheck64.exe, sysmon.xml, install_sysmon.ps1) to a subdirectory named Sysmon within the Sysvol directory on a domain controller.
By default, this is located at:
C:\Windows\SYSVOL\sysvol\DOMAIN.TLD
Ensure the final directory structure looks as follows:

C:\Windows\SYSVOL\sysvol\DOMAIN.TLD\Sysmon\
│
├── Sysmon64.exe
├── sigcheck64.exe
├── sysmon.xml
└── install_sysmon.ps1

Step 2: Creating the Sysmon Deployment Task via GPO

Open the Group Policy Management Console (gpmc.msc) on a Domain Controller.
Create a new Group Policy Object (GPO):
- Navigate to Domains > DOMAIN.TLD > Group Policy Objects.
- Right-click and select New. Name the GPO, e.g., "Deploy_Sysmon."
Edit the GPO: - Right-click the GPO and select Edit.
- Browse to Computer Configuration > Preferences > Control Panel Settings.
- Right-click Scheduled Tasks and select New > Scheduled Task (At least Windows 7).

Configure the Scheduled Task

General Tab

Enter a name, e.g., Install Sysmon.
Click Change User or Group, type SYSTEM, and press OK.
Check the box for Run with highest privileges.

Triggers Tab

Click New to create a trigger.
Select Daily and set a time of your choice.
(Optional) Check Delay task for up to (random delay) to stagger the task over a time window.

Actions Tab

Click New to create an action.
Select Start a Program as the action.
Set the Program/script to: \\DOMAIN.TLD\SYSVOL\DOMAIN.TLD\Sysmon\install_sysmon.ps1

Settings Tab

Ensure Allow task to be run on demand is checked.

Add Restricted Group Policy

In the GPO editor, browse to: Computer Configuration > Policies > Windows Settings > Security Settings.
Right-click Restricted Groups and select Add a group.
Enter Event Log Readers as the group name and press OK.
Under Members of this group, click Add and enter NETWORK SERVICE.

Step 3: Linking the GPO to an OU

Choose the Organizational Unit (OU) for Sysmon deployment, ideally testing on a pilot group (e.g., test-machines or a beta-testers OU) before full deployment.
Right-click on the target OU (or the domain itself, DOMAIN.TLD) and select Link an Existing GPO.
Select the newly created GPO.

Step 4: Testing and Verifying Deployment

To verify the GPO application:

In a Powershell run as administrator on a client machine, run: gpupdate /force
If needed, manually trigger the task for testing: Start-ScheduledTask -TaskName "Install Sysmon"

Confirm Sysmon is running with the following command: sc query sysmon
Example output:

Status Name DisplayName
------ ---- -----------
Running Sysmon64 Sysmon64

Verify the scheduled task exists with the following command: Get-ScheduledTask -TaskName "Install Sysmon"
Example output:

TaskPath TaskName State
-------- -------- -----
\ Install Sysmon Ready

Step 5: Activating Sysmon Log Forwarding with WEF

On the WEF server, open Event Viewer and click on Subscriptions in the left pane.
Right-click the subscription and select Properties, then Select Events.

In the XML tab, ensure one of the <Query> elements under <QueryList> contains the following:

<Select Path="Microsoft-Windows-Sysmon/Operational">
   *
</Select>

Once configured, Sysmon logs will start appearing on the WEF server under Windows Logs > Forwarded Events.