# Deploy Threat Stack Windows Agent 2.x Series

## Overview

This document describes the installation and configuration steps for the Threat Stack host-based Windows Agent 2.x series.

Pre-Installation for the Threat Stack Agent

Before you install the Threat Stack host-based Agent, please ensure your environment supports one of the following Windows Server Operating System (OS) versions:

• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

If you want to run your Agent from a least privileged account, then starting in Threat Stack Windows Agent 2.2.1 you will need to uninstall your existing Windows Agent and install the 2.2.1 version, using the new least privileged option, detailed in the instructions below. For more information on the differences between running the Agent on a root account and a least privileged account, see Windows Agent Permissions and Privileges.

Installing the Threat Stack Agent

### Prerequisites

• Access to an account on the Threat Stack Cloud Security PlatformⓇ (CSP).
• Ensure you have administrator privileges on the host to perform the installation.

Click one of the following options to download the Windows Agent software:

• To pin a specific version of the Windows Agent, then use the following format: pkg.threatstack.com/v2/Windows/Threat+Stack+Cloud+Security+Agent.X.X.X.msi. Replace the X's with the release version number. The most recent release is 2.2.2.

Once you have downloaded the installer, select one of the installation methods below.

Windows Setup Installation

#### Important

Ensure you are logged into the machine on an administrator account before proceeding.

1. Go to the location of the Threat Stack Cloud Security Agent.msi file.
2. Double click the file to run it. A setup wizard window opens.
3. Click the Next button.

4. Optionally, update the following settings:

• Install Threat Stack Cloud Security Platform to – By default, the value is "C:\Program Files\Threat Stack\". Click the Change button to browse to a location of your choice. The default installation location.
• Threat Stack URL – By default, the value is set to “https://app.threatstack.com”. Threat Stack does not recommend changing this value.
• Enter the Ruleset Name – By default, the value is set to Windows Rule Set. You can include multiple rule sets by separating them with a comma. For example, to include a Windows and a PCI ruleset, type the following:
Windows Rule Set, PCI Rule Set
• Enter the Deployment Key – Your deployment key is required to complete the installation. To find your deployment key, log into your Threat Stack CSP on the web, and go to the Settings page > Application Keys tab > Deployment Key section.
• Password for the ThreatStack Account – You can choose to have the Agent run under a least privileged account by specifying a new password for the ThreatStack account, which will then be created for the Agent to run under.

#### Important

The Windows Agent cannot check the health of the EventLog and/or Sysmon services when run as a least privileged account. A warning message is logged when the Agent starts to record this fact.

Leave this field blank to allow the Agent to run using the default root “LocalSystem” account.

• Start the services after setup is complete checkbox – By default, the checkbox is selected. If you deselect the checkbox, then the Windows Agent installs services but does not start until you reboot the host.
• Monitor Sysmon Events checkbox – By default, this checkbox is not selected. Select this checkbox to enable the Threat Stack Agent to monitor Sysmon events.
5. Click the Next button.
6. Once you review your selections, click the Install button.

#### Note

If you have administrator privileges but are not logged into your administrator account, then when you click the Install button, a User Account Control (UAC) notification message displays.

1. Once the installation completes, a confirmation message displays. Click the Finish button to close the window.
2. To confirm the Windows Agent is running on the host, open a Command Prompt window.
3. In the install directory, type the following command and press ENTER
tsagent status

Your newly installed server displays in the Threat Stack CSP on the Servers page.

Command Line Installation

The Agent can be installed from the command line by either using Windows PowerShell or a Command Line. The example below shows the installation process using the Command Line.

#### Important

Ensure you are logged into the machine on an administrator account before proceeding.

1. Open the Command Line Window as an administrator.
2. Type the following command and press ENTER:
msiexec /qn /i "c:\path\to\threatstack.msi" TSDEPLOYKEY="<DEPLOY_KEY>"
The command line parameters are as follows:
• “C:\path\to\threatstack.msi” – Indicates the location of the msi installer. For example, if the installer was saved in the Downloads folder on your server, then you type:
“C:\Users\Administrator\Downloads\threatstack.msi”
• TSDEPLOYKEY – Indicates the deployment key used to register with the platform. Replace <DEPLOY_KEY> with your deployment key, which can be found by logging into your Threat Stack CSP and going to the Settings page > Application Keys tab > Deployment Key section.
• TSACCOUNTPASSWORD (optional) – You can choose to have the Agent run with the minimum necessary privileges and permissions by specifying a new password for the Agent. This then creates a “ThreatStack” account under which the Agent runs. For example, to create the “ThreatStack” account using the password 1234567890!@#$%^&*()qwerty, type: TSACCOUNTPASSWORD=“1234567890!@#$%^&*()qwerty”

#### Important

The Windows Agent cannot check the health of the EventLog and/or Sysmon services when run as a least privileged account. A warning message is logged when the Agent starts to record this fact.

If you do not use this command, then the Agent defaults to using the “LocalSystem” root account.

• TSPROXY=[insert proxy URL:PORT here](optional) – You can choose to forward TCP/IP connections through a forward proxy by adding this command. For example, to configure the Agent to use the proxy at http://10.11.12.13 listening on port 4567:
TSPROXY=http://10.11.12.13:4567
• TSEVENTLOGLIST (optional) – You can choose to capture System Monitoring (Sysmon) events by adding the following command:
TSEVENTLOGLIST=“Security,Microsoft-Windows-Sysmon/Operational”
• TSCLOUDURL (optional) – Indicates the URL of the Threat Stack CSP. By default, the value is https://app.threatstack.com.
• TSRULESETNAMES (optional) – Indicates the rule set(s) being used. The value defaults to the Windows Rule Set. You can include multiple rule sets by separating them with a comma. For example, to include a Windows and a PCI rule set, type the following:
TSRULESETNAMES=“Windows Rule Set, PCI Rule Set”
• TSSTARTSERVICES (optional) – You can set the Threat Stack Agent (tsagent) service to not start after the installation by adding the following command:
TSSTARTSERVICES=”No”
command.

The services only start once you reboot the host.

• INSTALLDIR (optional) – Indicates the installation location. By default, the value is "C:\Program Files\Threat Stack\".

The installation runs in the background. Once complete, a new command line displays.

3. To confirm the Agent is running on the host, in the install directory, type the following command and press ENTER:
tsagent status

If the correct parameters were used to install the Windows Agent, then a "tsagent is running and connected" message displays. Additionally, your newly installed server displays in the Threat Stack CSP on the Servers page.

System Monitor (Sysmon) Installation and Configuration

The Threat Stack Windows Agent leverages System Monitor(Sysmon) functionality to focus on security-related events. The majority of rules within the Windows Ruleset rely on Sysmon logs, so we recommend installing Sysmon for optimal performance of the Windows Agent and its associated rules. For customers who choose not to install Sysmon, the functionality of the Windows Agent is limited. However, the Agent will still be able to monitor the host (system) through File Integrity Monitoring (FIM) and a subset of events from the Security event log.

Given the volume of information logged by Sysmon, and some of the complexity and logic available to end users, it is best to apply a configuration file that filters out normal operating system processes and common applications. We recommend using SwiftOnSecurity's well-commented configuration file.

For a full list of Sysmon events supported by the Threat Stack Agent, see this list.

1. Review this Microsoft article for a description of Sysmon's functionality and configuration.
2. Click the button to download the Sysmon files as a .zip.
3. Unzip into the C:\Temp directory.

• Eula.txt – An end user license agreement file.
• Sysmon.exe – A 32-bit Sysmon binary used for installing on 32-bit operating systems.
• Sysmon64.exe – A 64-bit Sysmon binary used for installing on 64-bit operating systems.
4. Copy https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml file and save as a file in the C:\Temp\sysmonconfig.xml directory.

#### Notes

• SwiftOnSecurity provides a base configuration for a majority of Sysmon event IDs that can be used as a recommended security standard. Use the SwiftOnSecurity configuration to configure Sysmon.
• Configure support for event IDs 23 – 25 separately, either by using a custom configuration of SwiftOnSecurity’s base configuration or a third-party Sysmon configuration.

### Install Sysmon

#### Important

Ensure you are logged into the machine on an administrator account before proceeding.

1. Open the Command Line window.
2. Type the following command and press ENTER:
sysmon -i sysmonconf.xml

#### Note

The command in this example assumes you downloaded the Sysmon configuration file to the same folder where you saved your Sysmon file.

Once installed, Sysmon starts writing logs to a newly created Event Log. You view the log within the Event Viewer by going to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

This log file defaults to a maximum size of approximately 65 megabytes (MB). Sysmon rewrites the oldest logs once this limit is reached. This default size should be sufficient for most customers.

### Configure the Threat Stack Agent

#### Important

Ensure you are logged into the machine on an administrator account before proceeding.

1. Open the Command Line window.
2. Type the following command to enable monitoring of both the Security and Sysmon Event Logs and press ENTER:
tsagent config --set EventLogs "Security,Microsoft-Windows-Sysmon/Operational"
3. Type the following command to restart the Agent and press ENTER.
tsagent restart

You now see events from Sysmon, such as event id 1 for process creation in the Threat Stack Cloud Security Platform (CSP) UI.