Add a new parameter to update Active Directory

[jokezone]

This would be useful for detecting any of these issues by querying Active Directory:

• PowerShell scripting engine failures
• Failures running scheduled tasks
• Failures performing WMI queries
• Failures detecting the Sysmon service/driver name
• Failures importing a Sysmon configuration
• Sysmon installation/upgrade failures

The parameter would allow for choosing a custom attribute not actively being used in your AD environment. You would need to grant the SELF principal write access to this attribute on all AD computer objects:

-UpdateAD "<attribute name>"

The attribute content could contain the following semicolon delimited fields. The data can be ingested into a SIEM or simply queried using PowerShell/LDAP for quick analysis.

• Date/timestamp of the script runtime
• System up-time
• Sysmon service/driver name/status
• Sysmon configuration status
• Sysmon version
• Detected OS version / domain role
• Any other useful system details

The attribute update should occur at next script run-time, at most once per day, or when the system up-time is within a few hours. This will reduce the number of AD writes, while allowing an AD query to show up-to-date results. The up-time check is key, because when a system boots up for the first time, it will report Sysmon was installed, and the next run will report if the services are successfully running or not.