Created
September 21, 2020 22:13
-
-
Save killswitch-GUI/95dd8c565199050acd6d93f946ce74c9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing SysInternals Tooling..." | |
$sysinternalsDir = "C:\Tools\Sysinternals" | |
$sysmonDir = "C:\ProgramData\Sysmon" | |
If(!(test-path $sysinternalsDir)) { | |
New-Item -ItemType Directory -Force -Path $sysinternalsDir | |
} Else { | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Tools directory exists, no need to re-install. Exiting." | |
exit | |
} | |
| |
If(!(test-path $sysmonDir)) { | |
New-Item -ItemType Directory -Force -Path $sysmonDir | |
} Else { | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sysmon directory exists, no need to re-install. Exiting." | |
exit | |
} | |
| |
$autorunsPath = "C:\Tools\Sysinternals\Autoruns64.exe" | |
$sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe" | |
$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml" | |
| |
| |
# Microsoft likes TLSv1.2 as well | |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Autoruns64.exe..." | |
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Autoruns64.exe', $autorunsPath) | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Sysmon64.exe..." | |
(New-Object System.Net.WebClient).DownloadFile('https://live.sysinternals.com/Sysmon64.exe', $sysmonPath) | |
Copy-Item $sysmonPath $sysmonDir | |
| |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading Sysmon config..." | |
(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml', "$sysmonConfigPath") | |
| |
# Start Sysmon | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting Sysmon..." | |
Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath" | |
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Verifying that the Sysmon service is running..." | |
Start-Sleep 5 # Give the service time to start | |
If ((Get-Service -name Sysmon64).Status -ne "Running") | |
{ | |
throw "The Sysmon service did not start successfully" | |
} | |
| |
# Make the event log channel readable. For some reason this doesn't work in the GPO and only works when run manually. | |
wevtutil sl Microsoft-Windows-Sysmon/Operational "/ca:O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment