search

Getting the Windows Data You Need

Quick overview of the Windows Data you need

hashtag
References:

https://gist.github.com/silentbreaksec/8972f8c9dce151aebbef0a58313f3971arrow-up-right https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilitiesarrow-up-right We recommend you review Windows Logging Cheat Sheet arrow-up-rightand tune logs as needed.

hashtag
Sysmon Install through GPO

Step 1. Create a Sysmon Folder under your SYSVOL folder in your DC

Step 2. Download Sysmon from Microsoft arrow-up-rightand place both sysmon.exe and sysmon64.exe in newly created Sysmon folder

Step 3. Download a sample sysmon config from SwiftOnSecurityarrow-up-right, rename the file to sysmonConfig.xml and place it within the Sysmon folder

Step 4. Enter the appropriate values for your DC and FQDN in the batch arrow-up-rightfile.

Step 5. Create a GPO that will launch this batch file on startup. Navigate to Group Policy Management

Create GPO

Name the GPO

Edit GPO

Navigate to StartUp Script

Add Batch Script

Enforce newly created GPO

Step 6. Apply the GPO to your specified OUs. Step 7. Force GPO Update

If you get the following error:

Make sure you allow the following firewall rules in your Starter GPOs

Another method is running the following commands:

You'll be able to view the group policy update results in the html file

hashtag
Second method to install Sysmon through GPO

  1. Create and link the GPO as mentioned above, but this time you'll be creating a scheduled task

2. Name the task and let it run as System during install

3. Create Trigger

4. Create Alert

You can browse and add the batch file but if it crashes when the file is selected, manually type in the path to the file \\<DC>\Sysvol\<FQDN>\<Sysmon Folder>\<SysmonInstall.bat> Step 6. Apply the GPO to your specified OUs. Step 7. Force GPO Update

After a restart, you should see sysmon.exe or sysmon64.exe running as a service. Logs can be found under Applications and Services -> Microsoft -> Windows -> Sysmon

hashtag
Setting up Audit Policy

Go to the Default Domain Policy and update the Audit Policies. We recommend you review Windows Logging Cheat Sheet arrow-up-rightand tune the audit policy based off of what you need/want.

Dont worry about the log size as we will be forwarding these logs to a SIEM. Monitoring files and registry keys will also be done by sysmon.

hashtag
Splunk Forwarder Deployment via GPO

  1. Download Splunk Windows MSIarrow-up-right and Windows SDK (Orcaarrow-up-right)

  2. Open the MSI file with Orca, select New transform, and add the Splunk Install Info.

Change AGREETOLICENSE = Yes Add Row -> SPLUNKUSERNAME, SPLUNKPASSWORD, DEPLOYMENT_SERVER Additional Rows can be added based off of the flag name in https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/InstallaWindowsuniversalforwarderfromthecommandlinearrow-up-right

3. Generate Transform -> <SplunkForwarder.mst> move MST and MSI to shared folder for the GPO to access.

4. Create GPO! We are creating a Software Install GPO but need to select the Advanced Radio Button under Properties

Add new policy, select the MSI file in the shared folder. Then modify the install with the MST file.

Verify the file path is through the network share

PreviousSplunkNextZeek || Bro

Last updated