Puppet Class: threatstack::sysmon

Defined in:
manifests/sysmon.pp

Overview

Class: threatstack::sysmon

Install Sysmon for Windows

Authors

Nate St. Germain <nate.stgermain@threatstack.com>

Copyright 2020 Threat Stack, Inc.



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'manifests/sysmon.pp', line 13

class threatstack::sysmon {

  archive { 'C:\Windows\Temp\sysmon.zip':
    ensure       => present,
    extract      => true,
    cleanup      => true,
    extract_path => 'C:\Windows\Temp',
    source       => 'https://download.sysinternals.com/files/Sysmon.zip'
  }

  remote_file { 'C:\Windows\Temp\sysmonconfig-export.xml':
    ensure  => present,
    source  => 'https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml',
    require => Exec['test conf present']
  }

  exec { 'test conf present':
    command => 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Path C:\Windows\Temp\sysmonconfig-export.xml',
    unless  => 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Path C:\Windows\Temp\sysmonconfig-export.xml'
  }

  exec { 'Install sysmon':
    command     => 'C:\Windows\Temp\Sysmon64.exe -accepteula -i C:\Windows\Temp\sysmonconfig-export.xml',
    subscribe   => Remote_File['C:\Windows\Temp\sysmonconfig-export.xml'],
    refreshonly => true,
    unless      => 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Get-Process "sysmon64"',
    require     => [
      Archive['C:\Windows\Temp\sysmon.zip'],
      Remote_File['C:\Windows\Temp\sysmonconfig-export.xml']
    ]
  }
}