jokezone / update-sysmon Goto Github PK

This would be useful for detecting any of these issues by querying Active Directory:

• PowerShell scripting engine failures
• Failures running scheduled tasks
• Failures performing WMI queries
• Failures detecting the Sysmon service/driver name
• Failures importing a Sysmon configuration
• Sysmon installation/upgrade failures

The parameter would allow for choosing a custom attribute not actively being used in your AD environment. You would need to grant the SELF principal write access to this attribute on all AD computer objects:

-UpdateAD "<attribute name>"

The attribute content could contain the following semicolon delimited fields. The data can be ingested into a SIEM or simply queried using PowerShell/LDAP for quick analysis.

• Date/timestamp of the script runtime
• System up-time
• Sysmon service/driver name/status
• Sysmon configuration status
• Sysmon version
• Detected OS version / domain role
• Any other useful system details

The attribute update should occur at next script run-time, at most once per day, or when the system up-time is within a few hours. This will reduce the number of AD writes, while allowing an AD query to show up-to-date results. The up-time check is key, because when a system boots up for the first time, it will report Sysmon was installed, and the next run will report if the services are successfully running or not.

The latest version of Sysmon added the ability to copy deleted/shredded files to a system root ArchiveDirectory. This archive directory is protected with a SYSTEM ACL which prevents users from accessing the contents. Since Update-Sysmon is intended to run as the SYSTEM account, it could be used to synchronize files in this directory with a central file share for analysis by threat hunters.