This repository has been archived by the owner on Nov 1, 2023. It is now read-only.
Make the script working #4
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Domain check with wmic doesn't work, because whitespaces are also included, which breaks the path to your Sysvol. So set your domain in the script manually. Search for the term <YOUR_DOMAIN>. SET SYSMONDIR was changed to C:\Windows. No specific reason, but when you install Sysmon manually from a folder outside C:\Windows, it will install itself to C:\Windows. If you don't use C:\Windows, it will check if the new Sysmon folder exists. :installsysmon I've added additional hashes as installation parameter, but depending on your Sysmon config will this be overwritten. :checkversion If Sysmon was installed manually and not with the script, sigcheck64 may be missing. Added an additional check if it exists. :updateconfig If Sysmon was installed manually and not with the script, sigcheck64 may be missing. Added an additional check if it exists. Also added a hash comparison of the Sysmon configs. The old way with set /p variable=<file didn't work, because it only reads the first line, which is everytime the path of the file and so, in the end, this check will never work, because file pathes are only compared. :uninstallsysmon Added chdir to the Sysmon path.
|
Thanks for your time. We'll take a look at the changes in a day or two, after testing the changes. At the moment we're likely keep the hash types as-is, because we need to compare against common threat intel feeds and check we're getting the right hash types. |
This was referenced May 2, 2019
|
Closing as we cherry picked the changes and merged earlier. |
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Domain check with wmic doesn't work, because whitespaces are also included, which breaks the path to your Sysvol. So set your domain in the script manually. Search for the term <YOUR_DOMAIN>.
SET SYSMONDIR was changed to C:\Windows. No specific reason, but when you install Sysmon manually from a folder outside C:\Windows, it will install itself to C:\Windows.
If you don't use C:\Windows, it will check if the new Sysmon folder exists.
:installsysmon
I've added additional hashes as installation parameter, but depending on your Sysmon config will this be overwritten.
:checkversion
If Sysmon was installed manually and not with the script, sigcheck64 may be missing. Added an additional check if it exists.
:updateconfig
If Sysmon was installed manually and not with the script, sigcheck64 may be missing. Added an additional check if it exists.
Also added a hash comparison of the Sysmon configs. The old way with set /p variable=<file didn't work, because it only reads the first line, which is everytime the path of the file and so, in the end, this check will never work, because file pathes are only compared.
:uninstallsysmon
Added chdir to the Sysmon path.