Appearance
Deploy a Sensor on Windows
This guide walks you through installing and enrolling an AttackLens sensor on a Windows machine.
Prerequisites
- Role: Posture Manager or higher.
- Enrollment token: You need a valid enrollment token. See Create an Enrollment Token if you have not created one yet.
- Network access: The target machine must be able to reach your AttackLens instance over HTTPS.
- Permissions: Administrator access on the target machine.
Step 1: Download the Sensor Binary
- In AttackLens, navigate to Settings > Sensor Downloads.
- Download
sensor-windows-amd64.exe.
Transfer the file to the target machine if you downloaded it on a different computer.
Step 2: Open an Elevated PowerShell Prompt
Right-click the Start menu and select Windows Terminal (Admin) or PowerShell (Admin). All commands below require an elevated (administrator) session.
Step 3: Move the Binary to a System Location
Create a directory for the sensor and move the binary:
powershell
New-Item -ItemType Directory -Path "C:\Program Files\AttackLens" -Force
Move-Item -Path "$env:USERPROFILE\Downloads\sensor-windows-amd64.exe" `
-Destination "C:\Program Files\AttackLens\attacklens-sensor.exe"Step 4: Enroll the Sensor
Run the enrollment command:
powershell
& "C:\Program Files\AttackLens\attacklens-sensor.exe" enroll `
--server https://your-attacklens-instance:8080 `
--token YOUR_ENROLLMENT_TOKENReplace:
your-attacklens-instance:8080with the actual hostname and port of your AttackLens backend.YOUR_ENROLLMENT_TOKENwith the token you copied from AttackLens.
On successful enrollment, you will see output similar to:
[INFO] Enrolling sensor with AttackLens backend...
[INFO] Enrollment successful. Sensor ID: s-a1b2c3d4
[INFO] Starting sensor service...
[INFO] Sensor is now running.Step 5: Install as a Windows Service
Register the sensor as a Windows service so it starts automatically on boot:
powershell
& "C:\Program Files\AttackLens\attacklens-sensor.exe" install-serviceStart the service:
powershell
Start-Service -Name "AttackLensSensor"Verify it is running:
powershell
Get-Service -Name "AttackLensSensor"You should see the status as Running.
TIP
The sensor registers itself as the AttackLensSensor Windows service with automatic startup type. You can also manage it from the Windows Services management console (services.msc).
Step 6: Verify the Sensor
In AttackLens, navigate to Sensors to confirm the new sensor appears in the list with an Online status.
WARNING
If the sensor shows as Pending for more than a few minutes, check the sensor logs. The sensor writes logs to:
C:\Program Files\AttackLens\logs\sensor.logYou can also check the Windows Event Viewer under Application for entries from the AttackLensSensor source.
Common issues include incorrect server URLs, expired enrollment tokens, firewall blocking outbound HTTPS, or TLS certificate trust issues.
Windows Firewall Configuration
The sensor only requires outbound HTTPS access to your AttackLens backend. If your organization uses strict outbound firewall rules, allow the following:
| Direction | Protocol | Port | Destination |
|---|---|---|---|
| Outbound | TCP | 443 or 8080 | Your AttackLens instance hostname |
No inbound rules are required.
Verify Data Collection
Once the sensor is online, it will begin its first data collection cycle. You can verify data is flowing by:
- Navigating to Sensors and clicking on the new sensor.
- Checking the Last Seen timestamp -- it should update within the collection interval.
- Navigating to Inventory to see the installed programs, Windows services, and security configurations discovered on the endpoint.
Uninstalling the Sensor
To remove a sensor from a Windows machine, open an elevated PowerShell prompt:
powershell
& "C:\Program Files\AttackLens\attacklens-sensor.exe" uninstall-service
Stop-Service -Name "AttackLensSensor" -ErrorAction SilentlyContinue
Remove-Item -Recurse -Force "C:\Program Files\AttackLens"INFO
Uninstalling the sensor from the machine does not remove it from AttackLens. The sensor will appear as Offline in the sensor list. You can delete the sensor record from the AttackLens UI if it is no longer needed.
Next Steps
- Manage Sensors -- View sensor details, link to assets, monitor status.
- Sensor Auto-Update -- Learn how sensors keep themselves up to date.