Skip to content

haam3r/SysmonWEF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Install-Sysmon.ps1
Install-Sysmon.ps1
 
 
Install-Winlogbeat.ps1
Install-Winlogbeat.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SysmonCollector.psm1
SysmonCollector.psm1
 
 

Repository files navigation

SysmonWEF

Deploying Sysmon and WEF

Deploying Sysmon and WEF with SwiftOnSecurity's config

Lab environment consists of a Windows 10 client and Server 2016 Core as DC and log collector.

Scripts and settings use the term "COLLECTOR" to reference the log collector server, change the name to your server name.

Enable remote log access on Server

WinRM should be enabled by default.

# Start a PowerShell remoting session on the server
Enter-PSSession -ComputerName COLLECTOR
# Enable a FW rule group to remotely view logs on the server 
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"

Setup the log collector

We will be utilising a Powershell DSC module to set this up.

Grab the DSC module from: https://github.com/haam3r/xWindowsEventForwarding

Collector configuration:

Configuration SysmonCollector {
    Param (
        [string[]]$ComputerName
    )
    Import-DscResource -ModuleName xWindowsEventForwarding

    Node $ComputerName {
        
        xWEFCollector Enabled {
            Ensure = "Present"
            Name = "Enabled"
        }

        xWEFSubscription Sysmon {
            SubscriptionID = "Sysmon"
            Ensure = "Present"
            Description = "Collect Sysmon events"
            SubscriptionType = "SourceInitiated"
            Query = @(
                'Microsoft-Windows-Sysmon/Operational:*'
            )
            DependsOn = "[xWEFCollector]Enabled"
        }
    }
}

if (-not (Test-Path c:\DSC)) {
    New-Item -Path C:\DSC -ItemType Directory
}

SysmonCollector -ComputerName COLLECTOR -OutputPath c:\DSC\
Start-DscConfiguration -Wait -Force -Path c:\DSC\ -Verbose -ComputerName COLLECTOR

GPO Settings

Create a new GPO targeting the machines you wish to collect logs from.

Under "Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups" :

  • right-click and "Add Group" with the Group Name being "BUILTIN\Event Log Readers" and members "NT AUTHORITY\NETWORK SERVICE"

Under "Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Forwarding":

Under "Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service -> Application":

  • Set a value of 'O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)' for "Configure Log Access"

Under "Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Event Log Service -> Security":

  • Set a value of 'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) for "Configure Log Access"

Sysmon deploy

Grab: https://github.com/SwiftOnSecurity/sysmon-config and the Sysmon exe itself from https://live.sysinternals.com/Sysmon64.exe



   



      


  
      

      

        

          

            

  
About


      

        Deploying Sysmon and WEF
      



    
Resources

    

      
        
        Readme
    


  
    
License

  

    
      
     MIT license
    
  





  
  

  

    
      
      Activity
  



  
Stars

  

    
      
      9
      stars
  


  
Watchers

  

    
      
      2
      watching
  


  
Forks

  

    
      
      0
      forks
  


    

      
          Report repository
    




          

        


        
            

              

                

  
    Releases



    
No releases published


              

            


        
        
            

              

                
  

  
    Packages
      




      

        No packages published 

      




              

            


        
            

        
        
        
            

              

                
Languages