USB devices detection
97 views
Skip to first unread message
Massimiliano De Falco
Jan 13, 2023, 9:36:56 AM1/13/23
to Wazuh mailing list
Good morning to all.
My goal is to know when the user insert and extract an USB device and (better) what file is created/modified/deleted/ on USB devices.
I have configured the agent.conf file:
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<frequency>10800</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">C:\\Users</directories>
<ignore>C:\\Users\\%USERNAME%\\appdata</ignore>
</syscheck>
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
</agent_config>
and the local_rules.xml:
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100010" level="0">
<program_name>USER_logged</program_name>
<description>User logged</description>
</rule>
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
</group>
but no /var/ossec/logs/archives/archives.json file is created and no USB timestamp in /var/ossec/logs/alerts/alerts.json.
How can I know if the config works fine?
I have configured the agent.conf file:
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<frequency>10800</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">C:\\Users</directories>
<ignore>C:\\Users\\%USERNAME%\\appdata</ignore>
</syscheck>
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
</agent_config>
and the local_rules.xml:
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100010" level="0">
<program_name>USER_logged</program_name>
<description>User logged</description>
</rule>
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
</group>
but no /var/ossec/logs/archives/archives.json file is created and no USB timestamp in /var/ossec/logs/alerts/alerts.json.
How can I know if the config works fine?
Thanks.
Javier Bejar
Jan 13, 2023, 10:59:02 AM1/13/23
to Wazuh mailing list
Hi Max,
There is blog explaining how to monitor USB activity on Windows, you have to enable ‘Audit PNP Activity’ events.
Take a look at the post here: https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Feel free to let me know if you encounter any issues or if you have any questions.
I'm glad to help.
Javier Bejar.
There is blog explaining how to monitor USB activity on Windows, you have to enable ‘Audit PNP Activity’ events.
Take a look at the post here: https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Feel free to let me know if you encounter any issues or if you have any questions.
I'm glad to help.
Javier Bejar.
Massimiliano De Falco
Jan 13, 2023, 11:51:31 AM1/13/23
to Wazuh mailing list
Hi Javier. Your link (dated 2017) I have activated the "Enabling ‘Audit PNP Activity’ events." but say of create a CDB list of USB devices serial number. About this point, I don't know the serials numbers of the user's USB pens.
I have readed the "Detect USB Storage" post of 12th genuary, where explain a different technique that I applied, editing the agent.conf file and the
local_rules.xml file.
Is this sufficient?
Is this sufficient?
Where I can view the logs of this configurations?
Thanks.
Reply all
Reply to author
Forward
0 new messages