Merge pull request #25 from NerbalOne/master

Repo Overhaul

Author: ion-storm

.gitignore

@@ -1,51 +1,51 @@
 # Sysmon ATT&CK Configuration #
-The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
+The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Please beware that you may need to fine tune and add exclusions depending on your environment. High CPU usage may be seen if exclusions are not added and one or more rules are firing off multiple times every second. 
 
       **[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
-Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git, tag your name with Author=YourName within the rulename field.
+Pull requests and issue tickets are welcomed. Any new additions will be credited in-line or on Git. Tag your name with Author=YourName within the rulename field.
 
-This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, UEBA, use cases.  You'll want to create a key-value parser for the
+This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, and UEBA use cases. You'll want to create a key-value parser for the
 rulename field to create field names per event within your SIEM.  
-Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting, investigations can be done 
-that contains added context and story line information of user behavior and activity leading up to an attack.  Non-Alerting Visibility rules are tagged with Desc=, and Forensic= and are
-meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments.  Some of these non-alerting visibility rules can be graduated 
+Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting and investigations can be done 
+that contains added context and story line information of user behavior and activity leading up to an attack. Non-Alerting visibility rules are tagged with "Desc=" and "Forensic=" and are
+meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments. Some of these non-alerting visibility rules can be graduated 
 to the Alerting rules or can be used with correlation rules within a SIEM/SOAR/XDR.  
 
 The goal with this configuration is a "Control" configuration that provides ultimate visibility that should be ran in conjunction with an EDR.  
-As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, some alerts EDR vendors choose to not alert
-on due to the differences between each environment and how hard it is to baseline some detections.  There is many use cases where EDR's fall short, they are not the greatest at 
-identifying suspicious activity that may fall short of being labeled as malicious.  The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
-malware, malicious activity, questionable activity.  If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files,
-copying files, we want to know.  We also want to leave an audit trail by monitoring the registry, artifact locations and provide our forensic analysts as much detail as possible.
+As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, and some alerts EDR vendors choose to not alert
+on due to the differences between each environment and how hard it is to baseline some detections. There is many use cases where EDR's fall short. They are not the greatest at 
+identifying suspicious activity that may fall short of being labeled as malicious. The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
+malware, malicious activity, and questionable activity. If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files, and/or
+copying files, we want to know. We also want to leave an audit trail by monitoring the registry, artifact locations, and provide our forensic analysts as much detail as possible.
 
-If you have forensic registry keys, file locations, artifacts, behavior detections and anything that may be beneficial here, feel free to put in a pull request.  
-The goal here is as much visibility as possible, with accurate alerts that are not noisy.  
+If you have forensic registry keys, file locations, artifacts, behavior detections, and anything that may be beneficial here, feel free to put in a pull request.  
+The goal here is as much visibility as possible with accurate alerts that are not noisy.  
 
 
-This now has an Auto Updater script to update to the latest Sysmon config hourly.  This is great for mass deployments without having to manually update thousands of systems.
-
 ## Use ##
 
-### Auto-Install with Auto Update Script:###
+### Auto Install with Auto Update Script ###
+The two below PowerShell scripts that are contained in this repo will download and install Sysmon and the config along with creating a scheduled task to run hourly to update the config.
 ~~~~
-Install Sysmon.bat
+Sysmon Install.ps1
+SysmonUpdateConfig.ps1
 ~~~~
 
 ### Install ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -accepteula -i sysmonconfig-export.xml
 ~~~~
 
-### Update existing configuration ###
-Run with administrator rights
+### Update Existing Configuration ###
+Run with administrator rights.
 ~~~~
 sysmon.exe -c sysmonconfig-export.xml
 ~~~~
 
 ### Uninstall ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -u
 ~~~~
@@ -56,9 +56,3 @@ Hide:
 sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 Restore:
 sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
-
-~~~~
-
-### Graylog Configuration ###
-
-(https://github.com/ion-storm/Graylog_Sysmon)

Auto_Update.bat

@@ -0,0 +1,60 @@
+#Author: NerbalOne
+#This PowerShell script will first create the Sysmon folder if it does not exist. It will then download Sysmon.exe, which supports both 32 bit and 64 bit, along with the Sysmon config and Sysmon Update script. It will then install Sysmon with the config and create a Scheduled Task to run hourly to update the Sysmon config.
+
+# Define Sysmon URLs
+$sysmonURL = "https://live.sysinternals.com/sysmon.exe"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
+
+# Define Local Path for Sysmon File and Sysmon Config
+$sysmonPath = "C:\Programdata\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\Programdata\Sysmon\sysmonconfig-export.xml"
+$sysmonUpdatePath = "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"
+$sysmonFolderPath = "C:\ProgramData\Sysmon\"
+
+# Create Sysmon Folder if it Doesn't Exist
+if (-not (Test-Path $sysmonFolderPath)) {
+    # Create the Folder
+    try {
+        New-Item -ItemType Directory -Path $sysmonFolderPath -Force
+        Write-Host "Folder created successfully at $folderPath"
+    }
+    catch {
+        Write-Host "Error creating the folder: $_"
+    }
+}
+else {
+    Write-Host "The folder already exists at $folderPath"
+}
+
+# Download Sysmon, Config, and Update Script
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri $sysmonURL -OutFile $sysmonPath
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
+
+# Install Sysmon with Config
+Start-Process -FilePath $sysmonPath -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+# Create a New Scheduled Task
+Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
+Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
+
+# Define Sysmon service Name
+$sysmonServiceName = "Sysmon"
+
+# Check if Sysmon Service Exists
+try {
+    $service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
+    Write-Output "Sysmon service exists"
+} catch {
+    Throw "Sysmon service does not exist"
+}
+
+# Check if Scheduled Task is Created Successfully
+try {
+    $task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
+    Write-Output "Scheduled task created successfully"
+} catch {
+    Throw "Scheduled task creation failed"
+}

Install Sysmon.bat

@@ -0,0 +1,24 @@
+#Author: NerbalOne
+#This PowerShell script will first download the latest Sysmon config. Then it will apply this config to Sysmon.
+
+# Define Sysmon Path
+$sysmonPath = "C:\ProgramData\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
+
+# Define Sysmon Config URL
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+
+# Download the Latest Sysmon Config
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+
+# Run sysmon.exe with Config
+& $sysmonPath -c $sysmonConfigPath
+
+# Check the Exit Code of the Previous Command
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Sysmon executed successfully."
+} else {
+    Write-Output "Sysmon execution failed."
+}
+