Getting the Windows Data You Need

Quick overview of the Windows Data you need

References:

https://gist.github.com/silentbreaksec/8972f8c9dce151aebbef0a58313f3971 https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities We recommend you review Windows Logging Cheat Sheet and tune logs as needed.

Sysmon Install through GPO

Step 1. Create a Sysmon Folder under your SYSVOL folder in your DC

Step 2. Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in newly created Sysmon folder

Step 3. Download a sample sysmon config from SwiftOnSecurity, rename the file to sysmonConfig.xml and place it within the Sysmon folder

Step 4. Enter the appropriate values for your DC and FQDN in the batch file.

Step 5. Create a GPO that will launch this batch file on startup. Navigate to Group Policy Management

Create GPO

Name the GPO

Edit GPO

Navigate to StartUp Script

Add Batch Script

Enforce newly created GPO

Step 6. Apply the GPO to your specified OUs. Step 7. Force GPO Update

If you get the following error:

Make sure you allow the following firewall rules in your Starter GPOs

Another method is running the following commands:

You'll be able to view the group policy update results in the html file

Second method to install Sysmon through GPO

  1. Create and link the GPO as mentioned above, but this time you'll be creating a scheduled task

2. Name the task and let it run as System during install

3. Create Trigger

4. Create Alert

You can browse and add the batch file but if it crashes when the file is selected, manually type in the path to the file \\<DC>\Sysvol\<FQDN>\<Sysmon Folder>\<SysmonInstall.bat> Step 6. Apply the GPO to your specified OUs. Step 7. Force GPO Update

After a restart, you should see sysmon.exe or sysmon64.exe running as a service. Logs can be found under Applications and Services -> Microsoft -> Windows -> Sysmon

Setting up Audit Policy

Go to the Default Domain Policy and update the Audit Policies. We recommend you review Windows Logging Cheat Sheet and tune the audit policy based off of what you need/want.

Dont worry about the log size as we will be forwarding these logs to a SIEM. Monitoring files and registry keys will also be done by sysmon.

Splunk Forwarder Deployment via GPO

  1. Download Splunk Windows MSI and Windows SDK (Orca)

  2. Open the MSI file with Orca, select New transform, and add the Splunk Install Info.

Change AGREETOLICENSE = Yes Add Row -> SPLUNKUSERNAME, SPLUNKPASSWORD, DEPLOYMENT_SERVER Additional Rows can be added based off of the flag name in https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline

3. Generate Transform -> <SplunkForwarder.mst> move MST and MSI to shared folder for the GPO to access.

4. Create GPO! We are creating a Software Install GPO but need to select the Advanced Radio Button under Properties

Add new policy, select the MSI file in the shared folder. Then modify the install with the MST file.

Verify the file path is through the network share

PreviousSplunkNextZeek || Bro

Last updated