# Getting the Windows Data You Need ### References: \ \ We recommend you review [Windows Logging Cheat Sheet ](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf)and tune logs as needed. ## Sysmon Install through GPO Step 1. Create a Sysmon Folder under your SYSVOL folder in your DC ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCvtoJ_R96qtTQD-pso%2F-MCw285lSdy269WL0S8v%2Fimage.png?alt=media\&token=f67a766f-7d53-43fe-bf4d-7c086013899d) Step 2. Download Sysmon from [Microsoft ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities)and place both sysmon.exe and sysmon64.exe in newly created Sysmon folder Step 3. Download a sample sysmon config from [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config), rename the file to sysmonConfig.xml and place it within the Sysmon folder Step 4. Enter the appropriate values for your DC and FQDN in the [batch ](https://gist.github.com/silentbreaksec/8972f8c9dce151aebbef0a58313f3971)file. Step 5. Create a GPO that will launch this batch file on startup. \ \ Navigate to Group Policy Management ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwC0a2xi-Zg4sj8YhT%2Fimage.png?alt=media\&token=11483953-23f2-4f35-ab55-297538320110) Create GPO ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwCBNffEE0ozHNbq39%2Fimage.png?alt=media\&token=3d183c67-feb0-4d2d-bb3a-8db2211ebc03) Name the GPO ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwCRerYnYxaemYf_oy%2Fimage.png?alt=media\&token=5449e881-5778-41cd-90bb-eed8d8ade0a9) Edit GPO ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwCwhuFd7tAbM9PwjE%2Fimage.png?alt=media\&token=e0abe88b-b356-49ce-aa7a-0390aa8eb898) Navigate to StartUp Script ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwDBuuk0iz9aPLAEyu%2Fimage.png?alt=media\&token=2d59ca0a-78b1-4a88-9961-68799f7774d8) Add Batch Script ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwDZ2QNCop9VZnmIBb%2Fimage.png?alt=media\&token=4dd85889-7669-4207-b098-dd4a8f961e47) Enforce newly created GPO ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCw3vnlliAXxMsjlf2J%2F-MCwDugH11FEmpVLL5p_%2Fimage.png?alt=media\&token=78edc0fa-fd3d-4b61-a3aa-12ca178b6eb7) Step 6. Apply the GPO to your specified OUs. \ Step 7. Force GPO Update ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCwHFNs3UtEFsxAXaGb%2F-MCwMtaXkq8y6iz3mnKf%2Fimage.png?alt=media\&token=f1e95d46-326e-4828-9eba-94874c4185c7) If you get the following error: ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCwHFNs3UtEFsxAXaGb%2F-MCwMpt0hUbEN7m2F_O3%2Fimage.png?alt=media\&token=ac5f10a1-2e9a-480a-a657-6c16357fdfee) Make sure you allow the following firewall rules in your Starter GPOs
![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCwHFNs3UtEFsxAXaGb%2F-MCwNHCnvh3u439irHlN%2Fimage.png?alt=media\&token=b72d3ecf-07f3-405f-b8f7-6eaffb5dec97) Another method is running the following commands: ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MCwOlQ6nkkPNz47EQF6%2F-MD-iiRCZGW2purr-OZK%2Fimage.png?alt=media\&token=66545068-07fb-4124-9ce7-5a18a3df4700) You'll be able to view the group policy update results in the html file
### Second method to install Sysmon through GPO 1. Create and link the GPO as mentioned above, but this time you'll be creating a scheduled task ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD-qyUCGg_G1AUWdmNr%2F-MD-rlAeh9VGD0JeW529%2Fimage.png?alt=media\&token=cfd71cdf-df00-4f92-910e-fdcca117bf2b) 2\. Name the task and let it run as System during install ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD-qyUCGg_G1AUWdmNr%2F-MD-s-whvUXeAwNnNGZt%2Fimage.png?alt=media\&token=234d1be9-e4ad-485e-8492-fd404bf17920) 3\. Create Trigger ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD-qyUCGg_G1AUWdmNr%2F-MD-sFoFlK6dI_f_hXzy%2Fimage.png?alt=media\&token=947dc886-2215-43d0-8b96-9d95e28b0d0f) 4\. Create Alert ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD-qyUCGg_G1AUWdmNr%2F-MD-sb_rqyGqjbP8HECN%2Fimage.png?alt=media\&token=68b28453-47c0-4a60-9643-6354f14d2468) You can browse and add the batch file but if it crashes when the file is selected, manually type in the path to the file \\\\\\Sysvol\\\\\\\\\\ \ Step 6. Apply the GPO to your specified OUs. \ Step 7. Force GPO Update After a restart, you should see sysmon.exe or sysmon64.exe running as a service. Logs can be found under Applications and Services -> Microsoft -> Windows -> Sysmon ## Setting up Audit Policy Go to the Default Domain Policy and update the Audit Policies. We recommend you review [Windows Logging Cheat Sheet ](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf)and tune the audit policy based off of what you need/want. ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD-tgM4_DTihwk5pe2d%2F-MD01qwPXkji-ZsZvkP4%2Fimage.png?alt=media\&token=fcfce613-7f37-45ed-9e76-8008c381a3d5) Dont worry about the log size as we will be forwarding these logs to a SIEM. Monitoring files and registry keys will also be done by sysmon. ## Splunk Forwarder Deployment via GPO 1. Download[ Splunk Windows MSI](https://www.splunk.com/en_us/download/splunk-enterprise.html) and Windows SDK ([Orca](https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe)) 2. Open the MSI file with Orca, select New transform, and add the Splunk Install Info.
![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD0hjQbFgp9JbWs5WOn%2F-MD0kmjkaWYMKmJUa5ci%2Fimage.png?alt=media\&token=4116f148-2a26-4423-bc84-deee1acc0f8f) Change AGREETOLICENSE = Yes\ Add Row -> SPLUNKUSERNAME, SPLUNKPASSWORD, DEPLOYMENT\_SERVER\ \ Additional Rows can be added based off of the flag name in 3\. Generate Transform -> \ \ move MST and MSI to shared folder for the GPO to access. ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD0mk4NYHXsxPA-e53X%2F-MD0qMiVdQWhjKL_XeMl%2Fimage.png?alt=media\&token=4d89fc24-db95-4b17-b8c0-e3a9ddf1ccce) 4\. Create GPO!\ We are creating a Software Install GPO but need to select the Advanced Radio Button under Properties ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD0mk4NYHXsxPA-e53X%2F-MD0nyMkD6k9eAsUYGVN%2Fimage.png?alt=media\&token=fc7a0a01-eaa5-450e-b462-3c7c627ebf8b) Add new policy, select the MSI file in the shared folder. Then modify the install with the MST file. ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD0mk4NYHXsxPA-e53X%2F-MD0rUyQcKD0B4iPyWci%2Fimage.png?alt=media\&token=e03eaff0-dd5d-44e8-8bb2-8896c5bf66f6) \ Verify the file path is through the network share ![](https://497022807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M40gfLBnd0WeqnRKeZO%2F-MD0mk4NYHXsxPA-e53X%2F-MD0rI6a5WmvnEfww2Mj%2Fimage.png?alt=media\&token=3cec4e38-bd59-4cac-bd7f-a04ca92a4021)