The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
  • Git Repos
    • GitHub Page
    • GitLab Page
  • Setup
    • WinRM over HTTPS
    • Installer.ps1 Usage
    • WEF Application
    • Email Alerts
    • Sysmon Setup
  • Donate
    • PayPal
    • LiberPay
  • Report Issues
  • More
    • Home
    • Git Repos
      • GitHub Page
      • GitLab Page
    • Setup
      • WinRM over HTTPS
      • Installer.ps1 Usage
      • WEF Application
      • Email Alerts
      • Sysmon Setup
    • Donate
      • PayPal
      • LiberPay
    • Report Issues

The B.T.P.S. Security Package

The B.T.P.S. Security PackageThe B.T.P.S. Security PackageThe B.T.P.S. Security Package
  • Home
  • Git Repos
  • Setup
  • Donate
  • Report Issues

PDF Viewer

Contents of "Sysmon Setup.pdf" file

Download PDF

Sysmon Setup

Sysmon Files in Domain Controllers Network Share Location

Put Sysmon Files on Your DC's Network Share

The sysmon.bat script will copy the sysmon configuration file (sysmon.xml) to the local location on remote devices as defined in your bat script. If sysmon isn’t running, it will install it using the configuration file sysmon.xml. Create or use a folder on your domain that will be replicated with other domain controllers such as the NETLOGON share, and add the below files to it.  REFERENCE 

  • sysmon.bat 
  • sysmon.exe
  • sysmon.xml (SwiftOnSecurity’s)
  • MacliciousIPChecker.ps1" 

Sysmon Group Policy object that installs the service

Create a Group Policy

Add sysmon.bat as a start up script to other devices in your domain by using Group Policy. The location to add Startup Scripts is at  Computer configuration > Policies > Windows Settings > Scripts > Startup. Then add the network share location to the "Script Name" value and leave the "Script Parameters" section blank  REFERENCE 

Sysmon.xml file in directory

Results

Once successfully pushed out you should be able to see the sysmon.xml file in the location the sysmon.bat file saved it too on the machines in your domain you have the group policy object applied too. Sysmon logs can be viewed inside "Event Viewer" at "Applications and Services Logs > Microsoft > Sysmon > Operational"

REFERENCE

Image representing network search of a domain and IP address

Blacklist and WHOIS Lookup

Create a scheduled task to push out through Group Policy that executes the PowerShell Script MaliciousIPChecker.ps1 once an hour. This will look at the IP Addresses that a device has had connections with over the last hour and then perform a Blacklist check as well as verify the domain is more than 2 years old. If these conditions are not met they will be logged to the Event Viewer in a custom log called MaliciousIPs.

Image of Malicious IP in Task Scheduler

Create Scheduled Task

Finally we will want to add a Scheduled Task to our Group Policy. This task will be used to execute the script "MacliciousIPChecker.ps1" that lookups up information on the collected IP addresses from the Sysmon logs. Any IP addresses that are viewed as malicious will have an event created and than forwarded to the WEF Application. This policy can be set at "Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks". The WEF Application will alert you of any of these events that are recorded.

Copyright © 2020 OsbornePro - All Rights Reserved. 


DISCLAIMER: This suite nor any other security suite or tool can completely prevent or detect all security vulnerabilities. This tool adds monitoring to an environment and may not catch every possible scenario and is no guarantee of discovery.

Questions or Comments: info@osbornepro.com

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept