Whether you’re a member of your company’s security team or incident response team, you no doubt understand the importance of getting Microsoft’s Sysmon utility installed on your Windows systems. It seems like every few months there is another guide or article published by CISA reemphasizing the importance of deploying Sysmon to help prevent ransomware, or at a minimum, making Sysmon logs available during an incident response post compromise.
Fortunately, we here at RDPSoft have created a nifty utility called Sysmundo for system administrators and security team members that makes deploying Sysmon, reconfiguring Sysmon, and uninstalling Sysmon across your Windows systems very easy to do. It does not require any scripting, and all actions are driven by a GUI. Best of all, these specific features do not require you to purchase a license from us – you can leverage our tool to do install, reconfigure, or uninstall Sysmon whenever you need it to. Here’s how it works.
Step 1 – Deploying Sysmon
First, download a copy of our Sysmundo utility and install it. When you run Sysmundo for the first time, it will attempt to automatically download the Sysmon and PSExec utilities from the Sysinternals Tools site at Microsoft.
Once you click “OK” to install a copy of Sysmon locally, you will then want to define the group of Windows computers you want to deploy Sysmon to, remotely. You can build a manual list of computers, or you can link to OUs or containers in your Active Directory.
While you’re building your computer groups, we recommend creating a staging computer group that holds a single server or workstation that you can do some pre-deployment testing on. Meaning, you can deploy Sysmon with a specific configuration file to that test system first, then observe to get an idea of logging volume and CPU use on that test system. Once you’ve tweaked your Sysmon configuration file the way you want based on your testing results, then you can deploy Sysmon to your remaining systems en masse.
With your computers defined, go to the Deployment & Collection menu, and select Deploy/Remove Sysmon on Systems In This Network to launch the Sysmon Deployment Wizard. Choose the Deploy/Redeploy Sysmon On Target Hosts option.
Then, obtain a Sysmon XML configuration file to define what activity Sysmon will log. Conveniently, Sysmundo already has downloadable links to the most popular Sysmon repos on GitHub, such as those maintained by SwiftOnSecurity, Florian Roth, and Olaf Hartong. You can download one of these repo config files, test it, tweak it, and redeploy your refined version as needed.
Finally, select the computers you wish to deploy Sysmon to (with the associated configuration file), click Deploy, and Sysmundo’s wizard will do the rest, leveraging PSExec, another Sysinternals tool.
Step 2 – Reconfiguring Sysmon
Undoubtedly, the scope of activities you want to audit with Sysmon will change over time. New programs may generate events that are not relevant, and you’ll need to suppress them by tweaking your Sysmon XML config file. When that time comes, you can quickly push out your new config file to all of the systems in your computer groupings. Again, like I mentioned above in the section on deploying Sysmon, you’ll want to test a new configuration file on a staging system first, before deploying it to all of your computers.
Launch the Sysmon Deployment Wizard again, and this time select the Change Sysmon Config File on Target Hosts option. Select your new Sysmon config file and the servers you are reconfiguring, and then click the Deploy button. All selected Sysmon hosts will be reconfigured to use the new configuration file immediately.
Step 3 – Uninstalling Sysmon
Once you have Sysmon deployed on your Windows systems as part of your incident response strategy, chances are you won’t be in a rush to uninstall Sysmon any time soon. And of course, if you need to install a newly released version of Sysmon, you can choose the Deploy/Redeploy Sysmon on Target Hosts option of Sysmundo’s wizard instead.
However, should you need to remove Sysmon from one or more of your systems, launch the Sysmon Deployment Wizard, and this time choose the Remove Sysmon From Target Hosts option. Then, select the computer groups you want to remove Sysmon from, and click the Remove button.
Next Steps
With Sysmon deployed successfully and easily to your Windows systems, the next step is to centrally collect and index that data, so that you can build reports, examine user and program behavior, perform threat hunting and searching for indicators of compromise, plus respond to any incidents. The licensed version of Sysmundo helps you do just that, without requiring you to pay for the ingestion or storage costs of a traditional SIEM solution. To learn more, watch this Setting Up Sysmundo video, and please visit the links below to download and/or start a subscription to our tool.
Leave a Reply