Deploying Sysmon through Group Policy (GPO) *Updated scroll down*

Here’s a way to deploy Sysmon to all of your domain endpoints using Group Policy.

Step1: Create sysmon install batch file

First create a batch file that will be placed on the root domain folder that is accessible to each domain client.

Here’s the batch file:

save as Sysmon_install.bat 

What does it do?

The script will copy the sysmon configuration file (config.xml) file to “C:\Windows\” and then if sysmon isn’t running, it will install it using that configuration that we copied.

Step 2: Create a folder on your domain that will be replicated with other domain controllers (in my example: apps), and copy the following:

Now that you have the prerequisites, let’s move on.

Step 3: Creating a Start-up script

Launch your group policy utility and perform the following:

Right click your domain OU and

  1.  Create GPO in this domain, and link it here
  2. Provide a name (Sysmon Deployment) , hit OK
  3. Right click your newly created GPO Sysmon Deployment and select Edit
  4. Navigate to Computer configuration > Policies > Windows Settings > Scripts > Startup
  5. Click on Startup and Add and browse to your script location \\domain.com\apps\Sysmon_Install.bat and finalize with OK
  6. Right click your newly created GPO and ensure that it’s enabled and enforced (if necessary)

This is it!

The Startup script will run as SYSTEM which should take care of the admin requirements for Sysmon.

Suggestions:
Create a test OU  and move a limited amount of  endpoints there to get started. Assuming that you already have a log collector, review the type of logs you are receiving and modify your configuration file to include/exclude certain logs so it won’t be overwhelming.

A challenge I came across was updating the configuration file across endpoints. If you were to update your configuration file, the change will only happen once the endpoint refreshes their group policy (defualt is 90 min) or longer at times.

Update September 2017: Preferred method

The previous method above will only deploy this GPO if the client machine is rebooted not just logged off/on thus the term “Startup script”; however, you will soon realize that NOT all of your workstations & servers are rebooted, (specially those production servers in your environment which are never touched). To ensure that we have 100% compliance with our Sysmon deployment, and also a way to automatically update our Sysmon Configuration file here’s an alternative solution which leverages the Scheduled task for Windows.

What will this accomplish? 

  1. Deploy Sysmon along with Initial Configuration
  2. Check for configuration updates every hour (During Business hours) on an hourly basis.

Step1: Create sysmon install batch file

First create a batch file that will be placed on the root domain folder that is accessible to each domain client.

Here’s the batch file. (This file will always write to C:\Windows and replace whatever configuration file is already there)

Step 2: Create a folder on your domain that will be replicated with other domain controllers (in my example: apps), and copy the following:

Now that you have the prerequisites, let’s move on.

Step 3: Creating a Scheduled Task

Launch your group policy utility and perform the following:

Right click your domain OU and

  1.  Create GPO in this domain, and link it here
  2. Provide a name (Sysmon Deployment) , hit OK
  3. Right click your newly created GPO Sysmon Deployment and select Edit
  4. Navigate to Computer configuration > Preferences > Scheduled Tasks 
  5. Right click Scheduled Tasks and click on Scheduled Tasks (At Least Windows 7) (This should work for Windows 7,10 Server 2008/2012)

6. Under the General Tab set the following:

7. Under the Trigger Tab click on New 

Hit OK when done.

(This will check your sysmon configuration every hour after 7:30 a.m, until 7:30 p.m, set to your own production hours when you expect to make changes to your sysmon config). This will allow all of your clients to constantly check for an updated version of sysmon config. This is helpful when you have hundreds or thousands of systems and you need a way to deploy the same configuration file.

8. Under the Actions tab click on new

Browse to your sysmon.bat file and hit OK when done.

9. Optional step: Under the Settings tab, you can check the
Allow task to be run on demand (This will allow you to manually trigger the scheduled task on an endpoint when you login. It helps with initial testing).

10. Once done, click OK. 

You should now see your task created.

Exit out of Group Policy.

Now you will be sure that all of your endpoints are installing sysmon and checking for updates.

Final Notes:

  • You can probably add a condition to check for file size differences or similar so your endpoints won’t continue grabbing the same configuration file if it never changes.

If you have any questions feel free to send me a message on Twitter  where I’ll answer quicker.

Leave a Reply