This snippet can be used to deploy Sysmon on all servers that belong to an Active Directory group. The requirements for this script are PowerShell remoting.

$Paths = @{
    Sysmon = "<SourceDir>\Sysmon"
    DomainController = (Get-ADDomain).DomainControllersContainer
}

$Groups = Get-ADGroup -Filter {(Name -like 'GroupName*')}
$Servers = Get-ADComputer -Filter * -SearchBase $Paths.DomainController
# Sysmon Installation variables
$Command = ('"{0}\Sysmon\Sysmon64.exe"' -f $env:ProgramFiles)
$ARGs = ('-AcceptEula -i "{0}\Sysmon\sysmonconfig-export.xml"' -f $env:ProgramFiles)

foreach($Server in $Servers) {
    # Update Group membership
    Write-Host ('Add Server {0} to Group: ' -f $Server.DNSHostName ) -NoNewline
    foreach($Group in $Groups) {
        try {
            Write-Host  ('{0}, ' -f $Group.Name) -NoNewline -ForegroundColor Green
            Add-ADGroupMember -Identity $Group.DistinguishedName -Members $Server.DistinguishedName -ErrorAction Stop
        }
        catch {
            $_.Exception.Message
        }
    }
    # Write newline
    "`n"


    $System = New-PSSession -ComputerName $Server.DNSHostName
    Invoke-Command -Session $System -ScriptBlock {
        Write-Host ('Copy Sysmon to Server: {0}' -f $USING:Server.DNSHostName)
        Copy-Item `
                -Path $USING:Paths.Sysmon `
                -Destination ('{0}\' -f $env:ProgramFiles) `
                -Recurse `
                -Force

        # Start installation of Sysmon64
        Write-Host ('Install Sysmon to Server: {0}' -f $USING:Server.DNSHostName)
        if (Test-Path -Path ('{0}\Sysmon\Sysmon64.exe' -f $env:ProgramFiles)){
            Start-Process -Wait -FilePath $USING:Command -ArgumentList $USING:ARGs -NoNewWindow
        }
    }
}

See Also

By: Arne TiedemannPosted on Categories : Categories :

Leave a Reply

Your email address will not be published. Required fields are marked *