Many errors when install

README.md

@@ -1,34 +1,58 @@
-# sysmon-config | A Sysmon configuration file for everybody #
+# Sysmon ATT&CK Configuration #
+The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Please beware that you may need to fine tune and add exclusions depending on your environment. High CPU usage may be seen if exclusions are not added and one or more rules are firing off multiple times every second. 
 
-This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
+      **[sysmonconfig-export.xml](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)**
 
-The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
+Pull requests and issue tickets are welcomed. Any new additions will be credited in-line or on Git. Tag your name with Author=YourName within the rulename field.
 
-      **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**
+This Sysmon ATT&CK Configuration is designed "Explicitly" to enrich your SIEM for threat intelligence, forensics, and UEBA use cases. You'll want to create a key-value parser for the
+rulename field to create field names per event within your SIEM.  
+Ideally this is best used with an Alerting Repository/Index where the "Alert=" field is marked and a non-alerting visibility index/repository where threat hunting and investigations can be done 
+that contains added context and story line information of user behavior and activity leading up to an attack. Non-Alerting visibility rules are tagged with "Desc=" and "Forensic=" and are
+meant to provide contextual information for analysts to build cases and identify what is happening with SIEM enrichments. Some of these non-alerting visibility rules can be graduated 
+to the Alerting rules or can be used with correlation rules within a SIEM/SOAR/XDR.  
 
-Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. It demonstrates a lot of what I wish I knew when I began with Sysmon in 2014.
+The goal with this configuration is a "Control" configuration that provides ultimate visibility that should be ran in conjunction with an EDR.  
+As we know, allot of EDR's today provide little contextual information, forensic information that is tagged, categorized, risk rated, and some alerts EDR vendors choose to not alert
+on due to the differences between each environment and how hard it is to baseline some detections. There is many use cases where EDR's fall short. They are not the greatest at 
+identifying suspicious activity that may fall short of being labeled as malicious. The goal here is to detect all common user activity that would lead to exfiltration, infiltration, 
+malware, malicious activity, and questionable activity. If a user is poking around the registry, sending data to cloud storage, downloading and executing random attachments and files, and/or
+copying files, we want to know. We also want to leave an audit trail by monitoring the registry, artifact locations, and provide our forensic analysts as much detail as possible.
 
-Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git.
+If you have forensic registry keys, file locations, artifacts, behavior detections, and anything that may be beneficial here, feel free to put in a pull request.  
+The goal here is as much visibility as possible with accurate alerts that are not noisy.  
 
-Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
-
-You can contact @SwiftOnSecurity on Twitter for any urgent questions or issues.
 
 ## Use ##
+
+### Auto Install with Auto Update Script ###
+The two below PowerShell scripts that are contained in this repo will download and install Sysmon and the config along with creating a scheduled task to run hourly to update the config.
+~~~~
+Sysmon Install.ps1
+SysmonUpdateConfig.ps1
+~~~~
+
 ### Install ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -accepteula -i sysmonconfig-export.xml
 ~~~~
 
-### Update existing configuration ###
-Run with administrator rights
+### Update Existing Configuration ###
+Run with administrator rights.
 ~~~~
 sysmon.exe -c sysmonconfig-export.xml
 ~~~~
 
 ### Uninstall ###
-Run with administrator rights
+Run with administrator rights.
 ~~~~
 sysmon.exe -u
 ~~~~
+
+## Hide Sysmon from services.msc ##
+~~~~
+Hide:
+sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+Restore:
+sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Sysmon Install.ps1

@@ -0,0 +1,60 @@
+#Author: NerbalOne
+#This PowerShell script will first create the Sysmon folder if it does not exist. It will then download Sysmon.exe, which supports both 32 bit and 64 bit, along with the Sysmon config and Sysmon Update script. It will then install Sysmon with the config and create a Scheduled Task to run hourly to update the Sysmon config.
+
+# Define Sysmon URLs
+$sysmonURL = "https://live.sysinternals.com/sysmon.exe"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
+
+# Define Local Path for Sysmon File and Sysmon Config
+$sysmonPath = "C:\Programdata\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\Programdata\Sysmon\sysmonconfig-export.xml"
+$sysmonUpdatePath = "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"
+$sysmonFolderPath = "C:\ProgramData\Sysmon\"
+
+# Create Sysmon Folder if it Doesn't Exist
+if (-not (Test-Path $sysmonFolderPath)) {
+    # Create the Folder
+    try {
+        New-Item -ItemType Directory -Path $sysmonFolderPath -Force
+        Write-Host "Folder created successfully at $folderPath"
+    }
+    catch {
+        Write-Host "Error creating the folder: $_"
+    }
+}
+else {
+    Write-Host "The folder already exists at $folderPath"
+}
+
+# Download Sysmon, Config, and Update Script
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri $sysmonURL -OutFile $sysmonPath
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
+
+# Install Sysmon with Config
+Start-Process -FilePath $sysmonPath -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+# Create a New Scheduled Task
+Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
+Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
+
+# Define Sysmon service Name
+$sysmonServiceName = "Sysmon"
+
+# Check if Sysmon Service Exists
+try {
+    $service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
+    Write-Output "Sysmon service exists"
+} catch {
+    Throw "Sysmon service does not exist"
+}
+
+# Check if Scheduled Task is Created Successfully
+try {
+    $task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
+    Write-Output "Scheduled task created successfully"
+} catch {
+    Throw "Scheduled task creation failed"
+}

SysmonUpdateConfig.ps1

@@ -0,0 +1,24 @@
+#Author: NerbalOne
+#This PowerShell script will first download the latest Sysmon config. Then it will apply this config to Sysmon.
+
+# Define Sysmon Path
+$sysmonPath = "C:\ProgramData\Sysmon\sysmon.exe"
+$sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
+
+# Define Sysmon Config URL
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+
+# Download the Latest Sysmon Config
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+
+# Run sysmon.exe with Config
+& $sysmonPath -c $sysmonConfigPath
+
+# Check the Exit Code of the Previous Command
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Sysmon executed successfully."
+} else {
+    Write-Output "Sysmon execution failed."
+}
+

Sysmon_Installer.ps1

@@ -0,0 +1,82 @@
+#Author: NerbalOne
+#This PowerShell script will first create the Sysmon folder if it does not exist. It will then identify which OS architecture the endpoint is running and download the appropriate Sysmon version along with the Sysmon config and Sysmon Update script. It will then install Sysmon with the config and create a Scheduled Task to run hourly to update the Sysmon config.
+#You may have issues while running this script on Windows Server 2012 R2 servers as it seems this server version only works with the Sysmon.exe and not the Sysmon64.exe with the newer Sysmon versions. 
+
+# Define Sysmon URLs
+$sysmon32URL = "https://live.sysinternals.com/sysmon.exe"
+$sysmon64URL = "https://live.sysinternals.com/sysmon64.exe"
+$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
+$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
+
+# Define Local Path for Sysmon File and Sysmon Config
+$sysmon32Path = "C:\Programdata\Sysmon\sysmon.exe"
+$sysmon64Path = "C:\Programdata\Sysmon\sysmon64.exe"
+$sysmonConfigPath = "C:\Programdata\Sysmon\sysmonconfig-export.xml"
+$sysmonUpdatePath = "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"
+$sysmonFolderPath = "C:\ProgramData\Sysmon\"
+
+# Create Sysmon Folder if it Doesn't Exist
+if (-not (Test-Path $sysmonFolderPath)) {
+    # Create the Folder
+    try {
+        New-Item -ItemType Directory -Path $sysmonFolderPath -Force
+        Write-Host "Folder created successfully at $folderPath"
+    }
+    catch {
+        Write-Host "Error creating the folder: $_"
+    }
+}
+else {
+    Write-Host "The folder already exists at $folderPath"
+}
+
+# Check OS Architecture
+$OSArchitecture = (Get-WmiObject -Query "Select * from Win32_OperatingSystem").OSArchitecture
+
+# Download Sysmon Update Script
+Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
+
+# Download Sysmon Config
+Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
+
+# Depending on the OS Architecture, Download and Install Sysmon
+if ($OSArchitecture -eq "32-bit") {
+    # Download Sysmon 32 bit
+    Invoke-WebRequest -Uri $sysmon32URL -OutFile $sysmon32Path
+
+    # Install Sysmon with Config
+    Start-Process -FilePath $sysmon32Path -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+} elseif ($OSArchitecture -eq "64-bit") {
+    # Download Sysmon 64 bit
+    Invoke-WebRequest -Uri $sysmon64URL -OutFile $sysmon64Path
+
+    # Install Sysmon with Config
+    Start-Process -FilePath $sysmon64Path -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
+
+} else {
+    Write-Output "Unsupported architecture: $OSArchitecture"
+}
+
+# Create a New Scheduled Task
+Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\Programdata\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
+Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
+
+# Define Sysmon service Name Based on OS Architecture
+$sysmonServiceName = if ($OSArchitecture -eq "64-bit") { "Sysmon64" } else { "Sysmon" }
+
+# Check if Sysmon Service Exists
+try {
+    $service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
+    Write-Output "Sysmon service exists"
+} catch {
+    Throw "Sysmon service does not exist"
+}
+
+# Check if Scheduled Task is Created Successfully
+try {
+    $task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
+    Write-Output "Scheduled task created successfully"
+} catch {
+    Throw "Scheduled task creation failed"
+}