Added Installscript

README.md

@@ -1,8 +1,11 @@
-# sysmon-config | A Sysmon configuration file for everybody to fork #
+# sysmon-config | A Sysmon configuration file fork #
 
-This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
+This is a Microsoft Sysinternals Sysmon configuration file template.
+It contains multiple pull-requests from the SwiftOnSecurity repository as well as some modifications from the environment where it's deployed.
 
-The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.
+The file should function as a great starting point for system change monitoring in a self-contained and accessible package. 
+This configuration and results should give you a good idea of what's possible for Sysmon. 
+Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.
 
       **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
@@ -17,6 +20,20 @@ Note: Exact syntax and filtering choices in the configuration are highly deliber
       **[See other forks of this configuration](https://github.com/SwiftOnSecurity/sysmon-config/network)**
 
 ## Use ##
+
+### Install / Update / Uninstall - via Script ###
+Run with administrator rights
+
+#### Install / Update ####
+~~~~
+install_update.cmd
+~~~~
+
+#### Uninstall ####
+~~~~
+install_update.cmd u
+~~~~
+
 ### Install ###
 Run with administrator rights
 ~~~~
@@ -38,12 +55,16 @@ sysmon.exe -u
 ## Required actions ##
 
 ### Prerequisites ###
-Highly recommend using [Notepad++](https://notepad-plus-plus.org/) to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe.
+Highly recommend using [Notepad++](https://notepad-plus-plus.org/) or [Visual Studio Code](https://code.visualstudio.com/) to edit this configuration. 
+They understand UNIX newline format and do XML syntax highlighting, which makes this very understandable.
 
 ### Customization ###
-You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.
+You will need to install and observe the results of the configuration in your own environment before deploying it widely. 
+For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.
 
 The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment.
 
 ### Design notes ###
-This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions.
+This configuration expects software to be installed system-wide and NOT in the C:\Users folder. 
+Various pieces of software install themselves in User directories, which are subject to extra monitoring. 
+Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions.

install_update.cmd

@@ -0,0 +1,46 @@
+@echo off
+SETLOCAL ENABLEEXTENSIONS
+SET MYDIR= %~dp0
+SET CMD_SWITCH=%1
+cls
+
+REM Reset any Errorlevel to zero
+ver >NUL
+
+REM Check for Administrative permissions
+net session >NUL 2>&1
+IF %ERRORLEVEL% NEQ 0 (
+	echo Administrative permissions required.
+	goto EOF
+)
+
+IF DEFINED CMD_SWITCH (
+	IF "%CMD_SWITCH%"=="u" (
+		echo Removing SYSMON...
+		%MYDIR%sysmon64 -u force >NUL 2>&1
+		goto EOF
+	)
+	echo To uninstall SYSMON use this script with parameter u.
+	goto EOF
+)
+
+REM Reset any Errorlevel to zero
+ver >NUL
+
+REM Check if Sysmon64 is already installed
+sc query sysmon64 | find /I "TYPE" >NUL
+
+IF %ERRORLEVEL% NEQ 0 (
+	REM SYSMON is not installed -> New system
+	echo Installing Sysmon
+	%MYDIR%sysmon64 -i %MYDIR%sysmonconfig-export.xml -accepteula >NUL 2>&1
+) ELSE (
+	REM SYSMON is installed -> Config will be updated
+	echo Updating Config
+	%MYDIR%sysmon64 -c %MYDIR%sysmonconfig-export.xml >NUL 2>&1
+)
+
+ENDLOCAL
+
+:EOF
+