Skip to content

How to deploy Sysmon via GPO

In this blog post, we are going to look at how to deploy Sysmon to all endpoints via GPO. In my case, I push all logs to my Windows Event Collector (WEC). My WEC has Winlogbeat installed so can centrally access all logs in SecurityOnion.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

First, download Sysmon and a configuration file.

  • Download Sysmon
  • Download the Configuration File
  • Extract all files
  • Create a folder on a server that is accessible for all endpoints
  • Right click the newly created folder and select Properties - Sharing - Share
  • Give 'Domain Computers' Permission Level: Read
  • Move all earlier extracted files into the shared folder

alt

This shared folder should now contain the following files:

alt

Now, configure the GPO to deploy Sysmon to all machines in the corresponding OUs that - in my case - contain the Server and Clients

  • Create a Group Policy Object. I called mine 'Sysmon'
  • In the Group Policy Management Editor, go to Computer Configuration - Preferences - Control Panel Settings
  • Right-click on Schedules Tasks - New - Immediate Task (At least Windows 7)
  • A new Task windows will open up
  • Under the General Tab, give it a Name, e.g. Sysmon
  • In the General tab under Security options click Change User or Group and type SYSTEM, then click on Check Names and hit OK. NT AUTHORITY\System shows as the user account the task is run as
  • Select Run whether user is logged on or not
  • Under the Actions tab, click New... under Action select Start a program and enter the where Sysmon.exe is located

It should look similar to this:

Program/script: \\dc01\SYSVOL\neutronsec.com\scripts\Sysmon\Sysmon.exe

Add arguments(optional): -accepteula -i \\dc01\SYSVOL\neutronsec.com\scripts\Sysmon\config.xml

alt

Now, link this GPO to the OUs containing the Clients and Servers (or whatever machines you want to install Sysmon on)

alt

It will take around 90 to 120 minutes before the GPO has been processed and we can verify that Sysmon has been installed. Because we don't want to wait, we can force this with gpupdate /force to make sure the GPO has been applied and is working as intended.

Once this is done, open an elevated PowerShell prompt and check if Sysmon has produced logs

powershell title="This will return the first 10 Sysmon events" Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Select-Object -First 10

alt

Via Windows Event Forwading, we could now push the generated logs to our Windows Event Collector(s), which would ingest all collected logs into our SIEM. The benefit of this: We don't have to deploy yet another agent to collect logs on all endpoints but only to our WEC. The WEC can handle arround 3000 endpoints pushing logs, so instead of deploy 3000 Agents we would deploy 1 Agent.