# ==========================
# Credits
# Pillar SOC Team
# ChatGPT Assisted Modification
# Dylan Barrett
# NerbalOne (Sysmon Instalelr)
#
# Description - Downloads and installs the Pillar SOC Agent silently using a provided site token.
# Usage of this script requires a valid Customer ID and Download Link from Pillar SOC.
# Prerequisites - PowerShell 5.1 or later, Internet access to download the installer.
# ==========================
# ==========================
# Pillar Installer Vars
# ==========================
$novaSOCRootURL = "https://agent.prod.novasoc.com/v1/agents/download/windows?token=$env:apitoken&arch=$env:architecture&build_type=$env:buildtype&customer_id=$env:customerid" ; # Change this with just your URL if not deploying with Ninja
$result = Invoke-WebRequest -URI $novaSOCRootURL -UseBasicParsing
$SourceFileUrl = ((Select-String '(http[s]?)(:\/\/)([^\s,]+)(?=")' -Input $result.RawContent).Matches[0].Value)
$TempDir = "C:\Temp\PillarSOC"
$DestinationFilePath = "C:\Temp\PillarSOC\novaSOCAgentInstall.exe"
$LogFile = "$TempDir\PillarSOC-install.log"
# ==========================
# Sysmon Installation Vars
# ==========================
# Define Sysmon URLs
$sysmonURL = "https://live.sysinternals.com/sysmon.exe"
$sysmonConfigURL = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml"
$sysmonUpdateConfig = "https://raw.githubusercontent.com/ion-storm/sysmon-config/master/SysmonUpdateConfig.ps1"
# Define Local Path for Sysmon File and Sysmon Config
$sysmonPath = "C:\ProgramData\Sysmon\sysmon.exe"
$sysmonConfigPath = "C:\ProgramData\Sysmon\sysmonconfig-export.xml"
$sysmonUpdatePath = "C:\ProgramData\Sysmon\SysmonUpdateConfig.ps1"
$sysmonFolderPath = "C:\ProgramData\Sysmon\"
# ==========================
# Logging Function
# ==========================
function Write-Log($msg){
$timestamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss")
Add-Content -Path $LogFile -Value "$timestamp : $msg"
}
Write-Log "----- Nova SOC Deployment Started -----"
# ==========================
# Prepare Directory
# ==========================
try {
if (!(Test-Path $TempDir)) {
New-Item -Path $TempDir -ItemType Directory | Out-Null
Write-Log "Created folder: $TempDir"
}
else {
Write-Log "Temp folder already exists."
}
}
catch {
Write-Log "ERROR creating directory: $_"
exit 1
}
# ==========================
# Download Installer
# ==========================
Write-Log "Downloading Pillar SOC installer..."
try {
Invoke-WebRequest $SourceFileUrl -OutFile $DestinationFilePath
}
catch {
Write-Log "ERROR downloading installer: $_"
exit 1
}
# Confirm download success
if (!(Test-Path $DestinationFilePath)) {
Write-Log "ERROR: Installer file missing after download."
exit 1
}
Write-Log "Download successful."
# ==========================
# Install Pillar SOC
# ==========================
Write-Log "Starting Pillar SOC installation..."
try {
$process = Start-Process -FilePath $TempDir\NovaSOCAgentInstall.exe -ArgumentList "/S" -Wait -PassThru
if ($process.ExitCode -ne 0) {
Write-Log "Installer exited with error code $($process.ExitCode)"
exit $process.ExitCode
}
}
catch {
Write-Log "ERROR running installer: $_"
exit 1
}
Write-Log "Pillar SOC installation completed successfully."
# ==========================
# Sysmon Installation
# ==========================
# Create Sysmon Folder if it Doesn't Exist
if (-not (Test-Path $sysmonFolderPath)) {
# Create the Folder
try {
New-Item -ItemType Directory -Path $sysmonFolderPath -Force | Out-Null
Write-Log "Sysmon folder created successfully at $sysmonFolderPath"
}
catch {
Write-Log "Error creating the Sysmon folder: $_"
exit 1
}
}
else {
Write-Log "The Sysmon folder already exists at $sysmonFolderPath"
}
# Download Sysmon, Config, and Update Script
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Write-Log "Sysmon directory prepared."
Invoke-WebRequest -Uri $sysmonURL -OutFile $sysmonPath
Invoke-WebRequest -Uri $sysmonConfigURL -OutFile $sysmonConfigPath
Invoke-WebRequest -Uri $sysmonUpdateConfig -OutFile $sysmonUpdatePath
Write-Log "Sysmon binaries and config downloaded."
# Install Sysmon with Config
Start-Process -FilePath $sysmonPath -ArgumentList "-accepteula -i $sysmonConfigPath" -NoNewWindow -Wait
Write-Log "Sysmon installed / updated."
# Create a New Scheduled Task
Start-Process schtasks.exe -ArgumentList '/Create /RU SYSTEM /RL HIGHEST /SC HOURLY /TN Update_Sysmon_Rules /TR "powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\Sysmon\SysmonUpdateConfig.ps1"" /f' -Wait -WindowStyle Hidden
Start-Process schtasks.exe -ArgumentList '/Run /TN Update_Sysmon_Rules' -Wait -WindowStyle Hidden
Write-Log "Sysmon update scheduled task created and executed."
# Define Sysmon service Name
$sysmonServiceName = "Sysmon"
# Check if Sysmon Service Exists
try {
$service = Get-Service -Name $sysmonServiceName -ErrorAction Stop
Write-Output "Sysmon service exists"
} catch {
Throw "Sysmon service does not exist"
}
Write-Log "Sysmon validation successful."
# Check if Scheduled Task is Created Successfully
try {
$task = Get-ScheduledTask -TaskName "Update_Sysmon_Rules" -ErrorAction Stop
Write-Output "Scheduled task created successfully"
} catch {
Throw "Scheduled task creation failed"
}
Write-Log "Deployment of Pillar SOC and Sysmon completed successfully."
exit 0