Add a new parameter to update Active Directory #2
Description
This would be useful for detecting any of these issues by querying Active Directory:
- PowerShell scripting engine failures
- Failures running scheduled tasks
- Failures performing WMI queries
- Failures detecting the Sysmon service/driver name
- Failures importing a Sysmon configuration
- Sysmon installation/upgrade failures
The parameter would allow for choosing a custom attribute not actively being used in your AD environment. You would need to grant the SELF principal write access to this attribute on all AD computer objects:
-UpdateAD "<attribute name>"
The attribute content could contain the following semicolon delimited fields. The data can be ingested into a SIEM or simply queried using PowerShell/LDAP for quick analysis.
- Date/timestamp of the script runtime
- System up-time
- Sysmon service/driver name/status
- Sysmon configuration status
- Sysmon version
- Detected OS version / domain role
- Any other useful system details
The attribute update should occur at next script run-time, at most once per day, or when the system up-time is within a few hours. This will reduce the number of AD writes, while allowing an AD query to show up-to-date results. The up-time check is key, because when a system boots up for the first time, it will report Sysmon was installed, and the next run will report if the services are successfully running or not.