Monitoring USB Drives in Windows using Wazuh
750 views
Skip to first unread message
Joven Ang
Nov 4, 2020, 2:11:27 AM11/4/20
to Wazuh mailing list
Hi,
From what I see on your official site (https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/), you stated an example to create a usb-devices text file in directory /var/ossec/etc/lists:
etc/lists/usb-devices
60A44C413DF8FE11898C0148:USBDrive_A.Marin_Sec.Dep
4C531123611118109134:USBDrive_D.Ramsey_Comm.Dep
0019E06B9C8DBA5040000119:USBDrive_A.West_HumRes.Dep
5758473141363639325A5550:USBHDD_S.Sullivan_Sec.Dep
Can I check if I want to enable it to just detect any usb devices, but not required to make rules of authorized USB devices, do I still need to make this file?
Thanks!
Regards,
Joven
Jesus Linares
Nov 4, 2020, 3:13:49 AM11/4/20
to Wazuh mailing list
Hi Joven,
If you want to detect any USB device, you don't need that file. Also, change the rules from:
<rule id="100002" level="5">
<if_sid>18104</if_sid>
<id>^6416$</id>
<description>Windows: Authorized PNP device connected.</description>
</rule>
<rule id="100003" level="7">
<if_sid>18104</if_sid>
<id>^6416$</id>
<list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list>
<description>Windows: Unauthorized PNP device connected.</description>
</rule>to:
<rule id="100002" level="5">
<if_sid>18104</if_sid>
<id>^6416$</id>
<description>Windows: PNP device connected.</description>
</rule>Let me know if you have any questions.
Regards.
Joven Ang
Nov 4, 2020, 3:43:29 AM11/4/20
to Jesus Linares, Wazuh mailing list
Hi Jesus,
I see. If my type of situation is I have a Security Onion VM and a Win10 VM, where Security Onion will act as the manager, and Win10 will act as the agent, where do I put the various codes in? Like is it normally the manager or agent side?
Regards,
Joven
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7NLV3Zut9NI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f50f8239-189a-44bd-a510-782a31ebff24o%40googlegroups.com.
Joven Ang
Nov 4, 2020, 9:17:35 AM11/4/20
to Jesus Linares, Wazuh mailing list
Hi Jesus,
appreciate if you could help me out as my submission for this project to my school is by end of this week. Thanks!
Regards,
Joven
Jesus Linares
Nov 4, 2020, 12:52:19 PM11/4/20
to Wazuh mailing list
Hi Joven,
Rules are located in the manager.
Just follow the blog post, but in the section "Adding decoders and rules." instead of using the rules described in the blog post, use the rules that I sent you in the previous comment.
I hope it helps.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
Joven Ang
Nov 4, 2020, 8:19:20 PM11/4/20
to Wazuh mailing list
Hi Jesus,
Noted. Have placed the configurations inside manager. But I still don't see any alerts of USB in either the alerts.log or alerts.json on the SecOnion VM after I plug in a thumbdrive in the Win10 VM. Already restarted the service as well, but no effect.
Regards,
Joven
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
Joven Ang
Nov 5, 2020, 1:53:16 AM11/5/20
to Wazuh mailing list, Jesus Linares
Hi Jesus,
Can I check if a USB has been plugged in to the agent machine before, does it still detect and give an alert if its ejected and then plugged in again? Like I'm curious whether devices that have been plugged in before, and then for subsequent plug ins it will not generate an alert as it is the same device which already has a record previously? Does the 6416 rule still apply to repeat plug ins of same device, or is there another rule for it?
Regards,
Joven
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dd84cfa1-a121-42a1-a227-f13e0697f511n%40googlegroups.com.
Jesus Linares
Nov 5, 2020, 2:22:34 PM11/5/20
to Wazuh mailing list
Hi Joven,
Please, enable the archives setting in your manager and follow this process for troubleshooting:
- Agent: Insert a USB
- Agent: Check in the WIndows Event viewer if you see the proper event (6416)
- Manager: Check if you see the event in /var/ossec/logs/archives/archives.json
- Manager: Check if you see the alert in /var/ossec/logs/alerts/alerts.json
- Wazuh WUI (Kibana): Check if you see the alert in the discover tab
Let us know if which step is failing and we will help you.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f50f8239-189a-44bd-a510-782a31ebff24o%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7NLV3Zut9NI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
Víctor Ariel Hermosa Riveros
Sep 20, 2022, 3:24:02 PM9/20/22
to Wazuh mailing list
I know is oldie but...
1)Insert USB
2)I get in the Agent Event Viewer the Event 6416
El sistema ha reconocido un nuevo dispositivo externo.
Asunto:
Id. de seguridad: SYSTEM
Nombre de cuenta: NB16032201$
Dominio de la cuenta: BEPSA
Id. de inicio de sesión: 0x3E7
Id. de dispositivo: HID\VID_1B1C&PID_1B3C&MI_00&Col01\7&1c409cb&0&0000
Nombre del dispositivo: HID-compliant mouse
Id. de clase: {4d36e96f-e325-11ce-bfc1-08002be10318}
Nombre de clase: Mouse
Id. de proveedor:
HID\VID_1B1C&PID_1B3C&REV_0308&MI_00&Col01
HID\VID_1B1C&PID_1B3C&MI_00&Col01
HID\VID_1B1C&UP:0001_U:0002
HID_DEVICE_SYSTEM_MOUSE
HID_DEVICE_UP:0001_U:0002
HID_DEVICE
Id. compatible:
.
Asunto:
Id. de seguridad: SYSTEM
Nombre de cuenta: NB16032201$
Dominio de la cuenta: BEPSA
Id. de inicio de sesión: 0x3E7
Id. de dispositivo: HID\VID_1B1C&PID_1B3C&MI_00&Col01\7&1c409cb&0&0000
Nombre del dispositivo: HID-compliant mouse
Id. de clase: {4d36e96f-e325-11ce-bfc1-08002be10318}
Nombre de clase: Mouse
Id. de proveedor:
HID\VID_1B1C&PID_1B3C&REV_0308&MI_00&Col01
HID\VID_1B1C&PID_1B3C&MI_00&Col01
HID\VID_1B1C&UP:0001_U:0002
HID_DEVICE_SYSTEM_MOUSE
HID_DEVICE_UP:0001_U:0002
HID_DEVICE
Id. compatible:
.
.
.
3 )
"agent":{"id":"001","name":"nb16032201","ip":"192.168.100.4"},"manager":{"name":"tmpltubuntu"},"id":"1663655745.52100","full_log":"{\"win\":{\"system\":{\"providerName\":\"hcmon\",\"eventID\":\"0\",\"version\":\"0\",\"level\":\"3\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2022-09-20T06:35:44.4868375Z\",\"eventRecordID\":\"111412\",\"processID\":\"4\",\"threadID\":\"11960\",\"channel\":\"System\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"WARNING\",\"message\":\"\\\"Detected unrecognized USB driver (\\\\Driver\\\\USBPcap).\\\"\"},\"eventdata\":{\"binary\":\"00000000020028000000000000000080000000000000000000000000000000000000000000000000\",\"data\":\"\\\\\\\\Device\\\\\\\\hcmon, \\\\\\\\Driver\\\\\\\\USBPcap\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"hcmon","eventID":"0","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-09-20T06:35:44.4868375Z","eventRecordID":"111412","processID":"4","threadID":"11960","channel":"System","computer":"nb16032201.bepsa.com.py","severityValue":"WARNING","message":"\"Detected unrecognized USB driver (\\Driver\\USBPcap).\""},"eventdata":{"binary":"00000000020028000000000000000080000000000000000000000000000000000000000000000000","data":"\\\\Device\\\\hcmon, \\\\Driver\\\\USBPcap"}}},"location":"EventChannel"}{"timestamp":"2022-09-20T02:35:45.556-0400","agent":{"id":"001","name":"nb16032201","ip":"192.168.100.4"},"manager":{"name":"tmpltubuntu"},"id":"1663655745.52100","full_log":"{\"win\":{\"system\":{\"providerName\":\"hcmon\",\"eventID\":\"0\",\"version\":\"0\",\"level\":\"3\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2022-09-20T06:35:44.4868375Z\",\"eventRecordID\":\"111413\",\"processID\":\"4\",\"threadID\":\"11960\",\"channel\":\"System\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"WARNING\",\"message\":\"\\\"Detected unrecognized USB driver (\\\\Driver\\\\USBPcap).\\\"\"},\"eventdata\":{\"binary\":\"00000000020028000000000000000080000000000000000000000000000000000000000000000000\",\"data\":\"\\\\\\\\Device\\\\\\\\hcmon, \\\\\\\\Driver\\\\\\\\USBPcap\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"hcmon","eventID":"0","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-09-20T06:35:44.4868375Z","eventRecordID":"111413","processID":"4","threadID":"11960","channel":"System","computer":"nb16032201.bepsa.com.py","severityValue":"WARNING","message":"\"Detected unrecognized USB driver (\\Driver\\USBPcap).\""},"eventdata":{"binary":"00000000020028000000000000000080000000000000000000000000000000000000000000000000","data":"\\\\Device\\\\hcmon, \\\\Driver\\\\USBPcap"}}},"location":"EventChannel"}
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f50f8239-189a-44bd-a510-782a31ebff24o%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7NLV3Zut9NI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages