Re: [ossec-list] USB storage detect & recursive file list

452 views
Skip to first unread message
Message has been deleted

Pedro Sanchez

unread,
Apr 19, 2016, 3:46:17 PM4/19/16
to ossec...@googlegroups.com
Hi,

Nice commands, very useful, thanks for sharing.

Both commands are working on my labs, the second one prints the full list of files at the terminal and writes into C:\temp\test.txt file (watch out the last " quotes before </comand>).

I am not sure if you need to merge the two commands output into the same alert, in that case, I can't only think about combine both and running just one <localfile>.


Regards,

Pedro S.


On Tue, Apr 19, 2016 at 9:23 PM, Jacob Mcgrath <jacob.xt...@gmail.com> wrote:
I have a basic Windows agent setting to alert me when a storage device is detected using Power shell..

<localfile>
    <log_format>full_command</log_format>
    <command>powershell.exe -command "gwmi win32_diskdrive | select
    Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
    C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"</command>
    <frequency>300</frequency>
    <alias>USBDevices</alias>
  </localfile>


with the following rule in local_rules.xml
<rule id="503002" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'USBDevices'</match>
    <check_diff />
    <description>Mounted Device change detected</description>
  </rule>



Of course I get this alert which is nice for basic logging..

OSSEC HIDS Notification.

 

2016 Apr 19 18:35:31

 

Received From: (mis41) any->USBDevices

Rule: 503002 fired (level 7) -> "Mounted Device change detected"

Portion of the log(s):

 

ossec: output: 'USBDevices':

Model                  : TOSHIBA DT01ACA100 SCSI Disk Device

InterfaceType          : IDE

serialnumber           :            359ZMW6MS

Size                   : 1000202273280

MediaType              : Fixed hard disk media

CapabilityDescriptions : {Random Access, Supports Writing, SMART Notification}

Model                  : Verbatim STORE N GO USB Device

InterfaceType          : USB

serialnumber           : AA00000000000489

Size                   : 16022845440

MediaType              : Removable Media

CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M

                         edia}

Model                  : Verbatim STORE N GO USB Device

InterfaceType          : USB

serialnumber           : AA00000000000489

Size                   : 16022845440

MediaType              : Removable Media

CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M

 

 

 

 --END OF NOTIFICATION



I was playing around with Powershell and have a optional command to print out USB storage device files recursively...


powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)


this gives me this output in a tmp.txt if ran from a powershell window and or run line.


    Directory: F:\


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---        11/06/2015  12:38 PM   22908888 mbam-setup-2.2.0.1024.exe         
-a---        12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe           


    Directory: E:\


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---        12/06/2011   9:51 AM     388608 HijackThis.exe                    
-a---        03/04/2016   2:44 PM   22908888 mbam-setup-2.2.0.1024.exe         
-a---        03/04/2016   2:46 PM       9524 hijackthis.log

 I have been attempting to get the above USB recursive file lists into a USB detection report but have not had any success as of yet using the above command instead of the first like below.



  <localfile>
    <log_format>full_command</log_format>
    <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"</command>
    <frequency>300</frequency>
    <alias>USBDevices</alias>
  </localfile>


This gives me a empty C:\temp\test.txt file...


Any suggestions would be appreiciated...


--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jacob Mcgrath

unread,
Apr 19, 2016, 4:06:42 PM4/19/16
to ossec-list
I have nominal success with this <localfile>..

 <localfile>
    <log_format>full_command</log_format>
    <command>powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" </command>
    <frequency>60</frequency>
    <alias>USBDevices</alias>
  </localfile>





OSSEC HIDS Notification.



2016 Apr 19 19:46:53



 



Received From: (mis41) any->USBDevices



Rule: 503002 fired (level 7) -> "Mounted Device
change detected"



Portion of the log(s):



 



ossec: output: 'USBDevices':



    Directory: F:\



 



 



 



 --END OF
NOTIFICATION


It is missing the remaining content on that C:\temp\tmp.txt ... But I am close  :)

Jacob Mcgrath

unread,
Apr 19, 2016, 6:39:10 PM4/19/16
to ossec-list
Will try droping the | select -Skip 2 from the Get-Content see if that works or maby a -Raw output arg

Pedro Sanchez

unread,
Apr 20, 2016, 11:51:02 AM4/20/16
to ossec...@googlegroups.com
I think <command> has a character limitation, try to remove empty spaces or make shorter the test.txt content.

Jacob Mcgrath

unread,
Apr 20, 2016, 4:23:31 PM4/20/16
to ossec-list
Wonder if I could wrap it into a test.ps1 and execute threw <command> powershell.exe -noprofile -executionpolicy bypass -file .\test.ps1

Jacob Mcgrath

unread,
Apr 20, 2016, 6:18:30 PM4/20/16
to ossec-list
I have a batch script I wrote that could be used in replacement of PowerShell...  
@echo off
for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d
)
echo
dir /s %var% > C:\temp\test.txt
type C:\temp\test.txt

pause


The output is this went usb drives are available

 Volume in drive F is F
 Volume Serial Number is 2971-7DFC

 Directory of F:\

08/11/2015  09:21 PM        12,836,794 38 Special - Caught Up In You.mp4
08/11/2015  09:21 PM        13,973,320 38 Special - Hold On Loosely.mp4
08/11/2015  09:14 PM        10,296,703 Alanis Morissette - Hand In My Pocket.mp4
08/11/2015  09:15 PM        19,490,518 Alanis Morissette - Ironic OFFICIAL VIDEO.mp4
08/11/2015  07:46 PM        10,015,763 All That Remains - Hold On.mp4
08/11/2015  07:46 PM        14,173,662 All That Remains - What If I Was Nothing.mp4
08/11/2015  07:20 PM        14,071,850 Andy Grammer - Honey Im Good Official Music Video.mp4

And this when none are inserted ( this being ran from my users Desktop directory... ( was looking at running this .bat from the ossec agent side bin) or a sub folder of that..

Volume in drive C has no label.
 Volume Serial Number is 84F7-A037

 Directory of C:\Program Files\ossec-agent\active-response\bin

04/20/2016  05:14 PM    <DIR>          .
04/20/2016  05:14 PM    <DIR>          ..
04/19/2016  05:30 PM               515 restart-ossec.cmd
04/19/2016  05:30 PM             1,520 route-null.cmd
04/20/2016  05:04 PM               215 usb.bat
               3 File(s)          2,250 bytes

     Total Files Listed:
               3 File(s)          2,250 bytes
               2 Dir(s)  860,057,559,040 bytes free

One of my concerns is that of getting this script info into the email alerts as well as in ossecs host logs in order to search via keyword say "usb" is ELSA...  I am still not
totally up to speed on how this works..
Message has been deleted

namobud...@gmail.com

unread,
Apr 22, 2016, 1:05:13 PM4/22/16
to ossec-list
Can I just throw this into my local rules and it will detect plugged in USB devices?

<rule id="503002" level="7">
    <if_sid>530</if_sid>

    <match>ossec: output: 'USB-Audit'</match>
    <check_diff />
    <description>USB Connected - Current Session Information</description>
</rule>
Message has been deleted
Message has been deleted

Jacob Mcgrath

unread,
Apr 28, 2016, 11:21:58 AM4/28/16
to ossec-list
Ok, here is my .Bat script I use to Check for & list files contained within the usb drive.  If no drive is detected the output file would not change there for not causing
an alarm when the drive is removed.

@echo off
set host=%COMPUTERNAME%


for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
   for %%c in (%%b) do (
      for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
         if %%d equ Removable (
for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host% %%a %user% > C:\temp\usbstor.txt
echo Drive %%c is Removable (USB^)
dir /s %%c >> C:\temp\usbstor.txt
type C:\temp\usbstor.txt
         )
      )
   )
)


Now in the Windows agent config is have the entry that would run the .Bat script every so many minutes or seconds ( I have mine set for 30 seconds for testing but 60 sec would be more 
realistic.

<localfile>
    <log_format>full_command</log_format>
    <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
    <frequency>30</frequency>
    <alias>USBDevices</alias>
  </localfile>

On the Ossec server side I have this entry on the local_rules.xml

<rule id="503002" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'USBDevices'</match>
    <check_diff />
    <description>Mounted Device change detected</description>
</rule>


After this I restart the Ossec server and agent wait a minute then insert a usb drive.  I get a email alert similar to this:

OSSEC HIDS Notification.

2016 Apr 28 15:11:29

 

Received From: (mis41) any->USBDevices

Rule: 503002 fired (level 7) -> "Mounted Device change detected"

Portion of the log(s):

 

ossec: output: 'USBDevices':

Drive F:\ is Removable (USB)

MIS41 10.18.100.24 

 Volume in drive F is OS

 Volume Serial Number is 642E-1FF6

 Directory of F:\

11/06/2015  01:38 PM        22,908,888 mbam-setup-2.2.0.1024.exe

12/21/2014  10:27 AM       397,798,952 sp66051_driver-pack.exe

               2 File(s)    420,707,840 bytes

 Directory of F:\System Volume Information

11/05/2015  08:56 AM    <DIR>          .

11/05/2015  08:56 AM    <DIR>          ..

11/05/2015  08:56 AM                76 IndexerVolumeGuid

01/13/2016  02:41 PM                12 WPSettings.dat

               2 File(s)             88 bytes

     Total Files Listed:

               4 File(s)    420,707,928 bytes

               2 Dir(s)   3,328,983,040 bytes free

Previous output:

ossec: output: 'USBDevices':

 

 

 

 --END OF NOTIFICATION


In Squert I can see this:
Message has been deleted

Jacob Mcgrath

unread,
Apr 28, 2016, 11:29:55 AM4/28/16
to ossec-list
And I get this in Squert on my Security Onion...

Reply all
Reply to author
Forward
0 new messages