Deploy and install Microsoft Sysinternals Sysmon v6.02 with custom configuration - superseded
Log In or Register to download the BES file, and more.

1 Votes

Versioning - This is an older version.

1Deploy and install Microsoft Sysinternals Sysmon v6.02 with custom configuration9/11/2017 2:33:43 PM
2Deploy and install Microsoft Sysinternals Sysmon v6.10 with custom configuration9/18/2017 5:45:12 AM

Description

This Task will install MS Sysinternals Sysmon v6.02 with a custom configuration.

Property Details

ID24623
StatusQA - Ready for Production Level Testing
TitleDeploy and install Microsoft Sysinternals Sysmon v6.02 with custom configuration
Download Size1271314
SourceIBM
Source Release Date9/1/2017 12:00:00 AM
KeywordsDeploy Microsoft Sysmon
Is TaskTrue
Added by on 9/11/2017 2:33:43 PM
Last Modified by on 9/11/2017 2:34:44 PM
Counters 165 Views / 2 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 3 fixlets   * Results in a true/false
Show indented relevance
(name of it starts with "Win7" OR name of it starts with "Win8" OR name of it starts with "Win10" OR name of it starts with "Win2008R2" OR name of it starts with "Win2012" OR name of it starts with "Win2016" ) of operating system
Used in 2 fixlets   * Results in a true/false
Show indented relevance
not exists service "sysmon"

Actions

Action 1 (default)

Action Link Click here to deploy this action.  Note that by doing so, you are accepting Sysmon's EULA for the target endpoints.
Script Type BigFix Action Script
// Download Sysmon and unzip utility
prefetch sysmon.zip sha1:8f1e7f9756793b411eabc3b4fb06d2cb502a43d3 size:1103378 https://download.sysinternals.com/files/Sysmon.zip sha256:848c3323324e8fa849024f87a2764f8575513463f339690056664861f99e4c5f
prefetch unzip.exe sha1:e1652b058195db3f5f754b7ab430652ae04a50b8 size:167936 http://software.bigfix.com/download/redist/unzip-5.52.exe utility __Download\unzip.exe sha256:8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

// unzip sysmon
waithidden __Download\unzip.exe -qq -o -d "{folder "__Download" of client folder of current site}" __Download\sysmon.zip"

delete __createfile
delete sysmonconfig.xml

// Define sysmon configuration XML file
// Source: https://github.com/SwiftOnSecurity/sysmon-config
// Modifications made per https://www.youtube.com/watch?v=vqGoXQEK8pA
// Please note that any curly braces in the configuration must be escaped in the following actionscript or you will have a relevance substitution error (see http://www-01.ibm.com/support/docview.wss?uid=swg21506259 for reference)
createfile until EndOfFile


="3.30">
    *
    

    
        
        ="exclude">
        
            
            ="begin with">C:\Windows\system32\DllHost.exe /Processid
            ="is">C:\Windows\system32\SearchIndexer.exe /Embedding
            ="end with">C:\Windows\System32\CompatTelRunner.exe
            ="is">C:\Windows\System32\MusNotification.exe
            ="is">C:\Windows\System32\MusNotificationUx.exe
            ="is">C:\Windows\System32\audiodg.exe
            ="is">C:\Windows\System32\conhost.exe
            ="is">C:\Windows\System32\powercfg.exe
            ="is">C:\Windows\System32\wbem\WmiApSrv.exe
            ="is">C:\Windows\System32\wermgr.exe
            ="is">C:\Windows\SysWOW64\wermgr.exe
            ="is">C:\Windows\system32\sppsvc.exe
            ="is">AppContainer
            ="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows
            ="is">C:\Windows\system32\SearchIndexer.exe
            
            ="begin with">C:\Program Files\Windows Defender
            ="is">C:\Windows\System32\MpSigStub.exe
            ="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base
            ="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta
            ="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine
            
            ="is">C:\Windows\System32\svchost.exe -k appmodel
            ="is">C:\Windows\System32\svchost.exe -k dcomLaunch
            ="is">C:\Windows\System32\svchost.exe -k defragsvc
            ="is">C:\Windows\System32\svchost.exe -k imgsvc
            ="is">C:\Windows\System32\svchost.exe -k localServiceAndNoImpersonation
            ="is">C:\Windows\System32\svchost.exe -k localServiceNetworkRestricted
            ="is">C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted
            ="is">C:\Windows\System32\svchost.exe -k netsvcs
            ="is">C:\Windows\System32\svchost.exe -k networkServiceNetworkRestricted
            ="is">C:\Windows\System32\svchost.exe -k rPCSS
            ="is">C:\Windows\System32\svchost.exe -k swprv
            ="is">C:\Windows\System32\svchost.exe -k unistackSvcGroup
            ="is">C:\Windows\System32\svchost.exe -k utcsvc
            ="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup
            ="is">C:\Windows\System32\svchost.exe -k wsappx
            ="is">C:\Windows\system32\svchost.exe -k networkService
            ="is">C:\windows\System32\svchost.exe -k werSvcGroup
            ="is">C:\Windows\System32\svchost.exe -k netsvcs
            ="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
            
            ="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
            ="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            ="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            ="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
            ="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
            ="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
            ="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            ="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
            ="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
            ="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            ="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            
            ="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
            ="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
            
            ="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
            ="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
            ="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
            
            ="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=
            ="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=
            ="begin with">C:\Program Files (x86)\Google\Update\
            ="begin with">C:\Program Files (x86)\Google\Update\
            
            ="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel
            ="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel
            
            ="contains">AcroRd32.exe" /CR
            ="contains">AcroRd32.exe" --channel=
            ="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
            ="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            ="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
            
            ="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
            
            ="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
            
            ="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe
            ="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
            ="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
            
            ="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
            ="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
            ="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
            ="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
            
            ="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{{
            ="begin with">C:\Program Files\NVIDIA Corporation\
            ="begin with">C:\Program Files\Realtek\
            ="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe
            ="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
            
            ="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
            ="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
            
            ="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
        

    
        
        ="include">
            ="begin with">C:\Users
        
        ="exclude">
            ="image">OneDrive.exe
            ="contains">setup
        

    
        
        ="include">
        
        
        
            
            ="begin with">C:\Users
            ="begin with">C:\ProgramData
            ="begin with">C:\Windows\Temp
            
            ="image">at.exe
            ="image">certutil.exe
            ="image">cmd.exe
            ="image">cscript.exe
            ="image">java.exe
            ="image">mshta.exe
            ="image">msiexec.exe
            ="image">net.exe
            ="image">notepad.exe
            ="image">powershell.exe
            ="image">qwinsta.exe
            ="image">reg.exe
            ="image">regsvr32.exe
            ="image">rundll32.exe
            ="image">sc.exe
            ="image">wmic.exe
            ="image">wscript.exe
            
            ="image">psexec.exe
            ="image">psexesvc.exe
            ="image">vnc.exe
            ="image">vncviewer.exe
            ="image">vncservice.exe
            ="image">winexesvc.exe
            ="image">\AA_v
            
            ="image">omniinet.exe
            ="image">hpsmhd.exe
            
            ="image">tor.exe
            
            ="is">22
            ="is">23
            ="is">25
            ="is">3389
            ="is">5800
            ="is">5900
            
            ="is">1080
            ="is">3128
            ="is">8080
            
            ="is">1723
            ="is">4500
            ="is">9001
            ="is">9030
        
        ="exclude">
            ="image">OneDrive.exe
            ="image">Spotify.exe
            ="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe
            
            ="image">OneDriveStandaloneUpdater.exe
            ="end with">microsoft.com
            ="end with">microsoft.com.akadns.net
            ="end with">microsoft.com.nsatc.net
        

    
        
        

    
        
        ="include">
        
            ="begin with">C:\Users
        

    
        
        ="exclude">
        
            ="contains">microsoft
            ="contains">windows
            ="begin with">Intel
        

    
        
        ="exclude">
        
        

    
        
        ="exclude">
        
            ="is">C:\Windows\System32\wbem\WmiPrvSE.exe
            ="is">C:\Windows\System32\svchost.exe
            ="is">C:\Windows\System32\wininit.exe
            ="is">C:\Windows\System32\csrss.exe
            ="is">C:\Windows\System32\services.exe
            ="is">C:\Windows\System32\winlogon.exe
            ="is">C:\Windows\System32\audiodg.exe
            ="is">C:\windows\system32\kernel32.dll
            ="end with">Google\Chrome\Application\chrome.exe
        

    
        
        ="exclude">
        
        
        

    
        
        ="exclude">
        
        

    
        
        ="include">
            ="contains">\Start Menu
            ="contains">\Startup
            ="contains">\Content.Outlook\
            ="contains">\Downloads\
            ="end with">.application
            ="end with">.appref-ms
            ="end with">.bat
            ="end with">.cmd
            ="end with">.cmdline
            ="end with">.docm
            ="end with">.exe
            ="end with">.hta
            ="end with">.pptm
            ="end with">.ps1
            ="end with">.sys
            ="end with">.vbs
            ="end with">.xlsm
            ="end with">.*proj
            ="end with">.sln            
            ="begin with">C:\Users\Default
            ="begin with">C:\Windows\System32\Drivers
            ="begin with">C:\Windows\SysWOW64\Drivers
            ="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts
            ="begin with">C:\Windows\System32\GroupPolicy\User\Scripts
            ="begin with">C:\Windows\System32\Tasks
            ="begin with">C:\Windows\System32\Wbem
            ="begin with">C:\Windows\SysWOW64\Wbem
            ="begin with">C:\Windows\System32\WindowsPowerShell
            ="begin with">C:\Windows\SysWOW64\WindowsPowerShell
            ="begin with">C:\Windows\Tasks\
        
        ="exclude">
            
            ="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
            
            ="is">C:\Windows\System32\smss.exe
            ="is">C:\Windows\system32\CompatTelRunner.exe
            ="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE
            ="begin with">C:\Windows\System32\DriverStore\Temp\
            ="begin with">C:\Windows\System32\wbem\Performance\
            ="end with">WRITABLE.TST
            
            ="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\
            ="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows
            
            ="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe
            
            ="is">C:\Windows\system32\igfxCUIService.exe
        

    
        
        
        
        
        
        
        
        
        
        ="include">
            
                
                
                
            ="contains">\CurrentVersion\Run
            ="contains">\Group Policy\Scripts
            ="contains">\Windows\System\Scripts
            ="contains">\Policies\Explorer\Run
            ="end with">\ServiceDll
            ="end with">\ImagePath
            ="end with">\Start
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\
            ="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
            
            ="contains">\Explorer\FileExts\
            ="contains">\shell\install\command\
            ="contains">\shell\open\command\
            ="contains">\shell\open\ddeexec\
            
            ="end with">\InprocServer32\(Default)
            
            ="contains">\Classes\*\
            ="contains">\Classes\AllFilesystemObjects\
            ="contains">\Classes\Directory\
            ="contains">\Classes\Drive\
            ="contains">\Classes\Folder\
            ="contains">\ContextMenuHandlers\
            ="contains">\CurrentVersion\Shell
            ="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
            ="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\
            
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
            
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\
            ="end with">\ProxyServer
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
            
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
            ="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\
            
            ="contains">\Microsoft\Office\Outlook\Addins\
            
            ="contains">\Internet Explorer\Toolbar\
            ="contains">\Internet Explorer\Extensions\
            ="contains">\Browser Helper Objects\
            
            ="contains">{{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\
            
            ="end with">\UrlUpdateInfo
            ="end with">\InstallSource
            
            ="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
            ="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
            
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify
            ="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
            
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting
            
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\
            ="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\
            ="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\
            ="end with">\FriendlyName
            ="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)
        
        ="exclude">
        
            
            ="end with">Office\root\integration\integrator.exe
            ="image">C:\WINDOWS\system32\backgroundTaskHost.exe
            ="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
            ="is">C:\Program Files\Windows Defender\MsMpEng.exe
            ="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
            
            ="end with">Toolbar\WebBrowser
            ="end with">Toolbar\WebBrowser\ITBar7Height
            ="end with">Toolbar\ShellBrowser\ITBar7Layout
            ="end with">Internet Explorer\Toolbar\Locked
            ="end with">ShellBrowser
            ="end with">\CurrentVersion\Run
            ="end with">\CurrentVersion\RunOnce
            ="end with">\CurrentVersion\App Paths
            ="end with">\CurrentVersion\Image File Execution Options
            ="end with">\CurrentVersion\Shell Extensions\Cached
            ="end with">\CurrentVersion\Shell Extensions\Approved
            ="end with">}\PreviousPolicyAreas
            ="contains">\Control\WMI\Autologger\
            ="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start
            ="end with">\Lsa\OfflineJoin\CurrentValue
            ="end with">\Components\TrustedInstaller\Events
            ="end with">\Components\TrustedInstaller
            ="end with">\Components\Wlansvc
            ="end with">\Components\Wlansvc\Events
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\
            ="end with">\Directory\shellex
            ="end with">\Directory\shellex\DragDropHandlers
            ="end with">\Drive\shellex
            ="end with">\Drive\shellex\DragDropHandlers
            ="contains">_Classes\AppX
            ="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
            ="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
            
            ="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
            ="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
            ="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System
            ="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache
            ="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
            ="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit
            
            ="end with">\services\clr_optimization_v2.0.50727_32\Start
            ="end with">\services\clr_optimization_v2.0.50727_64\Start
            ="end with">\services\clr_optimization_v4.0.30319_32\Start
            ="end with">\services\clr_optimization_v4.0.30319_64\Start
            ="end with">\services\DeviceAssociationService\Start
            ="end with">\services\BITS\Start
            ="end with">\services\TrustedInstaller\Start
            ="end with">\services\tunnel\Start
            ="end with">\services\UsoSvc\Start
            
            ="contains">\OpenWithProgids
            ="end with">\OpenWithList
            ="end with">\UserChoice
            ="end with">\UserChoice\ProgId
            ="end with">\UserChoice\Hash
            ="end with">\OpenWithList\MRUList
            ="end with">} 0xFFFF
            
            ="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
            ="is">C:\Program Files (x86)\Webroot\WRSA.exe
        

    
        
        ="include">
        
            ="contains">Content.Outlook
            ="contains">Downloads
            ="contains">Temp\7z
            ="end with">.bat
            ="end with">.cmd
            ="end with">.hta
            ="end with">.lnk
            ="end with">.ps1
            ="end with">.ps2
            ="end with">.reg
            ="end with">.vb
            ="end with">.vbe
            ="end with">.vbs
        

    
        
        

    
        
        ="exclude">
            
            
        

    

EndOfFile

move __createfile __Download\sysmonconfig.xml

// Install Sysmon service with custom configuration
waithidden __Download\{if (x64 of operating system) then "sysmon64.exe" else "sysmon.exe"} -accepteula -i "{folder "__Download" of client folder of current site as string & "\sysmonconfig.xml"}"
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!