Deploy Winlogbeat / Sysmon Using GPO
Overview:
Active Directory’s Group Policy Objects can be used to push/deploy Micro-Agent and Sysmonon to end-machines (Windows computers) that are part of AD. This guide will demonstrate the necessary steps to:
Prepare a distribution point in Active Directory (AD) for the installation package
Prepare the deployment scripts as per environment
Create a Group Policy Object to deploy the package & link the GPO to the appropriate Organizational Unit(s)
Force a Group Policy update on the client computer to test the deployment
Requirements:
Following requirements should be fulfilled before using this document:
Existing Active Directory infrastructure with defined Organizational Units (OU’s)
End-machines (windows computers) should be part of your domain, have connectivity for receiving Group Policy updates
Document was prepared using the following Azure lab environment:
Domain Controller: Microsoft Windows Server 2016
End-Machines: Microsoft Windows 10 64bit
Technical Terms used interchangeably throughout this document:
Micro-Agent: Winlogbeat
Sysmon: Sysmon
Note: There may be minor variation in the screens and steps mentioned, if you are using different versions of Windows, but the process is generally the same.
Preparing distribution point to push the packages:
Copy the provided Micro-Agent package on to the Active Directory machine.
On Active Directory, navigate to the location where the Micro-Agent package was copied and create a read only share that can be accessible by all the end-machines.
Follow the below steps, to create a shared folder (distribution point) with read only access:
Right click and open the properties window of “Micro-Agent” folder, change to ‘Sharing’ tab and click on ‘Advanced Sharing’.
Within the ‘Advanced Sharing’ window, check the Option “Share this Folder” and provide the share name -> click on ‘Permissions’ underneath the comments section whichopens up a new window for setting permissions for the share, set the access permission to “READ ONLY” for Everyone as shown below and apply the changes.
This share should be accessible by all end users via the share path like “\\Micro-Agent\” with Read-Only access.
Create a Group Policy Object to deploy the package:
This section details the process on how to configure Group Policy Object (GPO) and Scheduled Task required for pushing/deploying Micro-Agent/ package.
Open ‘Group Policy Management’ console from a machine that has access to Active Directory.
{Windows Key} + R to open the Run dialog
Type “gpmc.msc” in the “Open” field
Click the “Ok” button
In the (Group Policy Management console screen), select the OU you would like to link the new GPO to and create a new GPO while linking it. In our example we will link the GPO to the Domain level.
Expand the Forest
Expand the Domains OU
Right click on the “”
Click on the “Create a GPO in this domain, and Link it here…” menu item.
In the (New GPO Screen), name the GPO. This case we will be using** (C)_Win_All_MicroAgentDeployment**. Which stands for (Computer based GPO) / Windows Systems / All(Workstations and Servers) / Description of the GPO (Win_All_MicroAgentDeployment).
Type in “(C)_Win_All_MicroAgentDeployement” in the Name field
Click on the “Ok” button
In the (Group Policy Management console screen), select the newly created GPO and updated the details to disable the “User configuration settings”
Click on the newly created Group Policy Object
Click the “Details” tab in the right window pain
Click the “GPO Status” drop down list
Select the “User configuration settings disabled” menu item
Click the “Ok” button
In the (Group Policy Management console screen), select the newly created GPO and edit the policy settings
Right click on the newly created Group Policy Object
Click on “Edit” in the menu list
In the ((C)_Win_All_MicroAgentDeployement) screen, create a new Scheduled Task
Click the “Computer Configuration” menu item
Click the “Preferences” menu item
Click the “Control Panel Settings” menu item
Right click on the “Scheduled Tasks” menu item
Click on the “New” menu item
Click on the “Scheduled Task (At least Windows 7)”
In the (New Task (At least Windows 7) Properties) screen, update the General settings for the new Task.
Select “Replace” in the “Action” drop down list
Type a name for this Task in the “Name” field. In this case we will type “AgentDeployment”
Select the “Change User or Group…” button
Type “System” in the “Enter the object name to select” field
Press the “Check Names” button
Click the “Ok” button
Check the “Run whether user is logged on or not” radio button
Check the “Run with highest privileges” check box
Check the “Hidden” check box
Select “Windows® 7,Windows Server ™ 2008R2” in the “Configure for” drop down list
Select the “Triggers” Tab
In the (New Task (At least Windows 7) Properties) screen, update the Triggers settings for the new Task.
Click on the “New…” button
Select “At task creation/modification” in the “Begin the task” drop down list
Check the “Stop task if it runs longer than” and Select “1 hour” from the drop down list
Check the “Activate” check box. Leave the default item, which should be the current time
Check the “Enabled” check box
Click the “Ok” button
Select the “Actions” tab
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the new Task.
Click on the “New…” button
Select “Start a program” in the “Action” drop down list
Type the below path and program name in the “Program/Script” field. For this instance we are running
C:\Windows\System32\cmd.exe
Type the below arguments in the “Add arguments(optional)” field. Note the path below is the path to your Network Share where the Deploy script is located. For this instance, it’s a UNC on NYCWTSTADC001.
/c\NYCWTSTADC001\deployments\Micro-Agent\Deploy_Agent.bat
Click the “Ok” button
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 2nd Task.
Click on the “New…” button
Select “Start a program” in the “Action” drop down list
Type the below path and program name in the “Program/Script” field. For this instance, we are running
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type the below arguments in the “Add arguments(optional)” field. Note: We are creating a log file and identifying every time the job is ran.
-c $('Processed Job {0} as of {1}' -f 'AgentDeployment', $(Get-Date)) | Out-File -FilePath $('{0}{1}_GPO_Status.log' -f $Env:TEMP, '(C)_Win_All_MicroAgentDeployement') -Force
**Note:**AgentDeployment is the name of the Scheduled Job we defined earlier
Note:(C)_Win_All_MicroAgentDeployement is the name of the GPO we defined earlier. Make sure this is the name of your GPO so the logging makes sense.
Click the “Ok” button
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 3rd and final Task.
Click on the “New…” button
Select “Start a program” in the “Action” drop down list
Type the below path and program name in the “Program/Script” field. For this instance, we are running
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type the below arguments in the “Add arguments(optional)” field. Note: We are removing the Scheduled job once it is triggered. This way when GPO runs again it will kick off the same script.
-c start -FilePath 'schtasks.exe' -ArgumentList '/Delete /TN "AgentDeployment" /F
**Note:**AgentDeployment is the name of the Scheduled Job we defined earlier. If you change the name of the Scheduled job please change it here or the task will not be deleted.
Click the “Ok” button
Select the “Settings” tab
In the (New Task (At least Windows 7) Properties) screen, update the Settings configuration.
Check the “Allow task to be run on demand” check box
Check the “Run task as soon as possible after a scheduled start is missed” check box
Check the “**Stop the task it if runs longer than”**check box and select “1 hour” from the drop down list
Check the “If the running task does not end when requested, force it to stop” check box
Select “Do not start a new instance” from the “If the task is already running, then the following rule applies” drop down list
Click on the “Ok” button
In the (New Task (At least Windows 7) Properties) screen, update the General settings for the new Task.
1. Select “Replace” in the “Action” drop down list
2. Type a name for this Task in the “Name” field. In this case we will type “SysMonDeployment”
3. Select the “Change User or Group…” button
4. Type “System” in the “Enter the object name to select” field
5. Press the “Check Names” button
6. Click the “Ok” button
7. Check the “Run whether user is logged on or not” radio button
8. Check the “Run with highest privileges” check box
9. Check the “Hidden” check box
10. Select “Windows® 7, Windows Server ™ 2008R2” in the “Configure for” drop down list
11. Select the “Triggers” Tab
· In the (New Task (At least Windows 7) Properties) screen, update the Triggers settings for the new Task.
1. Click on the “New…” button
2. Select “At task creation/modification” in the “Begin the task” drop down list
3. Check the “Stop task if it runs longer than” and Select “1 hour” from the drop down list
4. Check the “Activate” check box. Leave the default item, which should be the current time
5. Check the “Enabled” check box
6. Click the “Ok” button
7. Select the “Actions” tab
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the new Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance we are running
i. C:\Windows\System32\cmd.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note the path below is the path to your Network Share where the Deploy script is located. For this instance, it’s a UNC on NYCWTSTADC001.
i. /c \\NYCWTSTADC001\deployments\Micro-Agent\Deploy_Sysmon.bat
5. Click the “Ok” button
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 2nd Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance, we are running
i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note: We are creating a log file and identifying every time the job is ran.
i. -c $('Processed Job {0} as of {1}' -f 'SysMonDeployment', $(Get-Date)) | Out-File -FilePath $('{0}\{1}_GPO_Status.log' -f $Env:TEMP, '(C)_Win_All_SysMonDeployement') -Force
ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier
iii. Note: (C)_Win_All_SysMonDeployement is the name of the GPO we defined earlier. Make sure this is the name of your GPO so the logging make sense.
5. Click the “Ok” button
In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 3rd and final Task.
1. Click on the “New…” button
2. Select “Start a program” in the “Action” drop down list
3. Type the below path and program name in the “Program/Script” field. For this instance, we are running
i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4. Type the below arguments in the “Add arguments(optional)” field. Note: We are removing the Scheduled job once it is triggered. This way when GPO runs again it will kick off the same script.
i. -c start -FilePath 'schtasks.exe' -ArgumentList '/Delete /TN "SysMonDeployment" /F
ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier. If you change the name of the Scheduled job please change it here or the task will not be deleted.
5. Click the “Ok” button
6. Select the “Settings” tab
In the (New Task (At least Windows 7) Properties) screen, update the Settings configuration.
1. Check the “Allow task to be run on demand” check box
2. Check the “Run task as soon as possible after a scheduled start is missed” check box
3. Check the “Stop the task it if runs longer than” check box and select “1 hour” from the drop down list
4. Check the “If the running task does not end when requested, force it to stop” check box
5. Select “Do not start a new instance” from the “If the task is already running, then the following rule applies” drop down list
6. Click on the “Ok” button
Test Deployment via GPO:
Manually push and test the GPO on one of the end-machine which should eventually deploy Micro-Agent Sysmon as per the schedule task configured earlier.
1. Logon to a specific end-machine, launch a command prompt.
2. Run “gpupdate /force” to force a Group Policy update.
3. Successful execution of “gpupdate /force” command should pull the respective group policies from the AD, and the deployment tasks for Sysmon should be available in the Task Scheduler on end-machine.
4. Upon successful execution of respective tasks, you should see following services ‘sysmon’ (or) ‘sysmon64’ installed and actively running on the end-machine.
Last updated