The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
    • GitHub Page
    • GitLab Page
    • WinRM over HTTPS
    • WEF Application
    • Email Alerts
    • Sysmon Setup
    • PayPal
    • LiberPay
  • Report Issues
    • Home
    • Git Repos
      • GitHub Page
      • GitLab Page
    • Setup
      • WinRM over HTTPS
      • WEF Application
      • Email Alerts
      • Sysmon Setup
    • Donate
      • PayPal
      • LiberPay
    • Report Issues

The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
  • Report Issues

Sysmon Setup

Sysmon Files in Domain Controllers Network Share Location

Put Sysmon Files on Your DC's Network Share

The sysmon.bat script will copy the sysmon configuration file (sysmon.xml) to the local location on remote devices as defined in your bat script. If sysmon isn’t running, it will install it using the configuration file sysmon.xml. Create or use a folder on your domain that will be replicated with other domain controllers such as the NETLOGON share, and add the below files to it.  REFERENCE 

  • sysmon.bat 
  • sysmon.exe
  • sysmon.xml (SwiftOnSecurity’s)
  • MacliciousIPChecker.ps1" 

Sysmon Group Policy object that installs the service

Create a Group Policy

Add sysmon.bat as a start up script to other devices in your domain by using Group Policy. The location to add Startup Scripts is at  Computer configuration > Policies > Windows Settings > Scripts > Startup. Then add the network share location to the "Script Name" value and leave the "Script Parameters" section blank  REFERENCE 

Sysmon.xml file in directory

Results

Once successfully pushed out you should be able to see the sysmon.xml file in the location the sysmon.bat file saved it too on the machines in your domain you have the group policy object applied too. Sysmon logs can be viewed inside "Event Viewer" at "Applications and Services Logs > Microsoft > Sysmon > Operational"

REFERENCE

Image representing network search of a domain and IP address

Blacklist and WHOIS Lookup

Create a scheduled task to push out through Group Policy that executes the PowerShell Script MaliciousIPChecker.ps1 once an hour. This will look at the IP Addresses that a device has had connections with over the last hour and then perform a Blacklist check as well as verify the domain is more than 2 years old. If these conditions are not met they will be logged to the Event Viewer in a custom log called MaliciousIPs.

Image of Malicious IP in Task Scheduler

Create Scheduled Task

Finally we will want to add a Scheduled Task to our Group Policy. This task will be used to execute the script "MacliciousIPChecker.ps1" that lookups up information on the collected IP addresses from the Sysmon logs. Any IP addresses that are viewed as malicious will have an event created and than forwarded to the WEF Application. This policy can be set at "Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks". The WEF Application will alert you of any of these events that are recorded.

Copyright © 2020 OsbornePro - All Rights Reserved. 

Questions or Comments: rosborne@osbornepro.com