A PowerShell script for installing Sysmon and enabling best-practice audit logs.

better_event_logging.ps1

# ================================================
#   Sysmon & Windows Event Log Configuration Script
# ================================================

# Check for administrative privileges
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object Security.Principal.WindowsPrincipal($currentUser)
if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Host "This script requires administrative privileges. Please run as an administrator." -ForegroundColor Red
    exit 1
}


Write-Host "==================================================" -ForegroundColor Cyan
Write-Host "  Install Sysmon & Improve Windows Event Logging  " -ForegroundColor Yellow
Write-Host "==================================================" -ForegroundColor Cyan

Write-Host "`nThis script will perform the following actions:`n" -ForegroundColor Green
Write-Host "[1] Configure and improve Windows Event Logging (Yamato Security)" -ForegroundColor Cyan
Write-Host "    [a] See: https://github.com/Yamato-Security/EnableWindowsLogSettings" -ForegroundColor Gray
Write-Host "[2] Allow selection of a Sysmon configuration file" -ForegroundColor Cyan
Write-Host "    [a] Source: https://github.com/olafhartong/sysmon-modular" -ForegroundColor Gray
Write-Host "[3] Install Sysmon if its not already installed." -ForegroundColor Cyan
Write-Host "    [a] Downloaded from: https://live.sysinternals.com" -ForegroundColor Gray
Write-Host "[4] Apply the selected Sysmon configuration." -ForegroundColor Cyan
Write-Host "[5] Clean up temporary files after execution" -ForegroundColor Cyan

Write-Host "`nEnsure you have an internet connection before proceeding.`n"
Write-Host "Press 'Y' to continue or any other key to cancel." -ForegroundColor Yellow

$confirmation = Read-Host "Continue? (Y/N)"
if ($confirmation -ne 'Y' -and $confirmation -ne 'y') {
    Write-Host "Operation canceled by user." -ForegroundColor Red
    exit 0
}

Write-Host "`nProceeding with the installation...`n" -ForegroundColor Cyan
Start-Sleep -Seconds 2

# Function to download a file with logging
function Get-File {
    param (
        [string]$Url,
        [string]$OutputPath
    )
    try {
        Invoke-WebRequest -Uri $Url -OutFile $OutputPath -ErrorAction Stop
        Write-Host "[+] Downloaded: $OutputPath" -ForegroundColor Green
        return $true
    } catch {
        Write-Host "[-] Failed to download: $Url - Error: $_" -ForegroundColor Red
        return $false
    }
}

# Define file paths
$sysmonDownloadPath = "C:\Windows\temp\sysmon64.exe"
$configPath = "C:\Windows\temp\sysmonconfig.xml"
$batchScriptPath = "C:\Windows\temp\ConfigureWinEventLogs.bat"

# Check if Sysmon is already installed
$sysmonService64 = Get-Service -Name sysmon64 -ErrorAction SilentlyContinue
$sysmonService32 = Get-Service -Name sysmon -ErrorAction SilentlyContinue
$sysmonInstalled = $null -ne $sysmonService64 -or $null -ne $sysmonService32

if ($sysmonInstalled) {
    if ($null -ne $sysmonService64) {
        $sysmonPath = (Get-WmiObject -Class Win32_Service -Filter "Name='sysmon64'" | Select-Object -ExpandProperty PathName).Trim('"')
    } elseif ($null -ne $sysmonService32) {
        $sysmonPath = (Get-WmiObject -Class Win32_Service -Filter "Name='sysmon'" | Select-Object -ExpandProperty PathName).Trim('"')
    }
}

# Download Windows Event Log configuration script
if (-not (Get-File -Url "https://raw.githubusercontent.com/Yamato-Security/EnableWindowsLogSettings/refs/heads/main/YamatoSecurityConfigureWinEventLogs.bat" -OutputPath $batchScriptPath)) {
    exit 1
}

# Execute the Windows Event Log configuration script
Write-Host "[+] Executing Windows Event Log configuration script..." -ForegroundColor Green
Start-Process -FilePath $batchScriptPath -Wait -NoNewWindow -RedirectStandardOutput "C:\Windows\temp\ConfigureWinEventLogs_output.log" -RedirectStandardError "C:\Windows\temp\ConfigureWinEventLogs_error.log"
Write-Host "[+] Windows Event Log configuration complete." -ForegroundColor Green
Write-Host "    [+] Review changes: C:\Windows\temp\ConfigureWinEventLogs_output.log" -ForegroundColor Gray
Write-Host "    [+] Review errors: C:\Windows\temp\ConfigureWinEventLogs_error.log" -ForegroundColor Gray

# Sysmon configuration options
$configOptions = @{
    "1" = @{ Name = "default"; Url = "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml"; Desc = "Balanced configuration, most commonly used." }
    "2" = @{ Name = "default+"; Url = "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-with-filedelete.xml"; Desc = "Balanced configuration with FileDelete file saves." }
    "3" = @{ Name = "verbose"; Url = "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-excludes-only.xml"; Desc = "Verbose config, logs all events except exclusions. High data volume." }
    "4" = @{ Name = "super verbose"; Url = "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-research.xml"; Desc = "Extreme verbosity, not for production. High CPU/memory usage." }
    "5" = @{ Name = "MDE augment"; Url = "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-mde-augment.xml"; Desc = "Enhances Microsoft Defender for Endpoint with minimal overlap." }
}

# Display options for Sysmon configuration
Write-Host "`nChoose a Sysmon configuration:" -ForegroundColor Yellow
foreach ($key in ($configOptions.Keys | Sort-Object {[int]$_})) {
    $option = $configOptions[$key]
    Write-Host "[ $key ] $($option.Name) - $($option.Desc)" -ForegroundColor Green
}

# Get user selection (default to option 1 if no input)
$selection = Read-Host 'Enter the number of your choice (default is 1)'
if ([string]::IsNullOrWhiteSpace($selection)) {
    $selection = "1"
}

# Validate selection
if (-not $configOptions.ContainsKey($selection)) {
    Write-Host "[-] Invalid selection. Exiting..." -ForegroundColor Red
    exit 1
}

# Get selected configuration details
$selectedConfig = $configOptions[$selection]
$configUrl = $selectedConfig.Url
Write-Host "[+] You selected: $($selectedConfig.Name) - Downloading configuration..." -ForegroundColor Cyan

# Download selected Sysmon configuration file
if (-not (Get-File -Url $configUrl -OutputPath $configPath)) {
    exit 1
}

# Install or update Sysmon
if ($sysmonInstalled) {
    Write-Host "[+] Sysmon is already installed. Updating the running configuration." -ForegroundColor Cyan
    Start-Process -FilePath $sysmonPath -ArgumentList "-c $configPath" -Wait -NoNewWindow
    Write-Host "[+] Sysmon configuration updated." -ForegroundColor Green
} else {
    Write-Host "[+] Sysmon is not installed. It will be downloaded and installed." -ForegroundColor Cyan
    if (-not (Get-File -Url "https://live.sysinternals.com/Sysmon64.exe" -OutputPath $sysmonDownloadPath)) {
        exit 1
    }
    Start-Process -FilePath $sysmonDownloadPath -ArgumentList "-accepteula -i $configPath" -Wait -NoNewWindow
    Write-Host "[+] Sysmon installation complete." -ForegroundColor Green
}

# Verify that Sysmon is running
$sysmonService = Get-Service -Name sysmon64 -ErrorAction SilentlyContinue
if ($null -eq $sysmonService) {
    $sysmonService = Get-Service -Name sysmon -ErrorAction SilentlyContinue
}

if ($null -ne $sysmonService -and $sysmonService.Status -eq 'Running') {
    Write-Host "[+] Sysmon service is running." -ForegroundColor Green
} else {
    Write-Host "[-] Sysmon service is not running. Please check the installation." -ForegroundColor Red
    exit 1
}

# Cleanup downloaded files
Write-Host "[+] Cleaning up downloaded files..." -ForegroundColor Green
Remove-Item -Path $sysmonDownloadPath, $configPath, $batchScriptPath -ErrorAction SilentlyContinue
Write-Host "[+] Cleanup complete." -ForegroundColor Green