USB Monitoring
124 views
Skip to first unread message
Víctor Ariel Hermosa Riveros
Sep 19, 2022, 8:46:04 PM9/19/22
to Wazuh mailing list
Hi
I am trying to monitor activity in USB Ports, not just Mass Storage Devices connection, but any USB device connected or disconnected.
I am working with latest stable version of Wazuh (4.3), and the monitored workstations are Windows 10 based.
Thanks in advanced
PD: Yes, I have followed many tutorials but with an impressive score of 0 succesfull attempt :)
Aditya Sharma
Sep 20, 2022, 12:23:18 AM9/20/22
to Wazuh mailing list
Hi Vahr, Hope you are doing good!
Which documentation are you trying to follow? We have this official document to monitor this: https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Can you look for this community answer also once:https://groups.google.com/g/wazuh/c/5GK02qt4fCI/m/gf5q6RABBAAJ
Which documentation are you trying to follow? We have this official document to monitor this: https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
Can you look for this community answer also once:https://groups.google.com/g/wazuh/c/5GK02qt4fCI/m/gf5q6RABBAAJ
For Windows, please, follow this guide:
When a USB device is connected to the system, 4 events are generated.
These events are taken by the wazuh-agent and sent to the manager but since there are no rules to check this data, no alerts are triggered, therefore are not shown in Kibana.
That being said, we must create a rule to generate the alert. Here is one I’ve created for the first event generated.
<group name="usb-rules,">
<rule id="666000" level="6">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^6416$</field>
<field name="win.eventdata.deviceId">^USB\\</field>
<description>An external $(win.eventdata.deviceDescription) was connected to the system</description>
</rule>
</group>
This way, every event generated with this EventID and that has this type of DeviceID, is going to generate an alert like this one:
These events don't provide the serial number of the device, so in case you would like to use a whitelist (or backlist) according to that value, you should use the DeviceID.
I hope this helps you. Don't hesitate to ask your questions/concerns. We are very happy to help you.
Regards
Aditya Sharma
Víctor Ariel Hermosa Riveros
Sep 26, 2022, 1:26:48 PM9/26/22
to Wazuh mailing list
I've already tried this and I can't get it to work.
archives.json
{"timestamp":"2022-09-26T17:23:13.530+0000","agent":{"id":"003","name":"nb16032201","ip":"192.170.170.27"},"manager":{"name":"wazuh-server"},"id":"1664212993.4786841","full_log":"{\"win\":{\"system\":{\"providerName\":\"hcmon\",\"eventID\":\"0\",\"version\":\"0\",\"level\":\"3\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2022-09-26T17:23:12.5019126Z\",\"eventRecordID\":\"126949\",\"processID\":\"4\",\"threadID\":\"12964\",\"channel\":\"System\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"WARNING\",\"message\":\"\\\"Detected unrecognized USB driver (\\\\Driver\\\\USBPcap).\\\"\"},\"eventdata\":{\"binary\":\"00000000020028000000000000000080000000000000000000000000000000000000000000000000\",\"data\":\"\\\\\\\\Device\\\\\\\\hcmon, \\\\\\\\Driver\\\\\\\\USBPcap\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"hcmon","eventID":"0","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-09-26T17:23:12.5019126Z","eventRecordID":"126949","processID":"4","threadID":"12964","channel":"System","computer":"nb16032201.bepsa.com.py","severityValue":"WARNING","message":"\"Detected unrecognized USB driver (\\Driver\\USBPcap).\""},"eventdata":{"binary":"00000000020028000000000000000080000000000000000000000000000000000000000000000000","data":"\\\\Device\\\\hcmon, \\\\Driver\\\\USBPcap"}}},"location":"EventChannel"}
{"timestamp":"2022-09-26T17:23:13.540+0000","agent":{"id":"003","name":"nb16032201","ip":"192.170.170.27"},"manager":{"name":"wazuh-server"},"id":"1664212993.4786841","full_log":"{\"win\":{\"system\":{\"providerName\":\"hcmon\",\"eventID\":\"0\",\"version\":\"0\",\"level\":\"3\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2022-09-26T17:23:12.5019126Z\",\"eventRecordID\":\"126950\",\"processID\":\"4\",\"threadID\":\"12964\",\"channel\":\"System\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"WARNING\",\"message\":\"\\\"Detected unrecognized USB driver (\\\\Driver\\\\USBPcap).\\\"\"},\"eventdata\":{\"binary\":\"00000000020028000000000000000080000000000000000000000000000000000000000000000000\",\"data\":\"\\\\\\\\Device\\\\\\\\hcmon, \\\\\\\\Driver\\\\\\\\USBPcap\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"hcmon","eventID":"0","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-09-26T17:23:12.5019126Z","eventRecordID":"126950","processID":"4","threadID":"12964","channel":"System","computer":"nb16032201.bepsa.com.py","severityValue":"WARNING","message":"\"Detected unrecognized USB driver (\\Driver\\USBPcap).\""},"eventdata":{"binary":"00000000020028000000000000000080000000000000000000000000000000000000000000000000","data":"\\\\Device\\\\hcmon, \\\\Driver\\\\USBPcap"}}},"location":"EventChannel"}
{"timestamp":"2022-09-26T17:23:13.540+0000","agent":{"id":"003","name":"nb16032201","ip":"192.170.170.27"},"manager":{"name":"wazuh-server"},"id":"1664212993.4786841","full_log":"{\"win\":{\"system\":{\"providerName\":\"hcmon\",\"eventID\":\"0\",\"version\":\"0\",\"level\":\"3\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2022-09-26T17:23:12.5019126Z\",\"eventRecordID\":\"126950\",\"processID\":\"4\",\"threadID\":\"12964\",\"channel\":\"System\",\"computer\":\"nb16032201.bepsa.com.py\",\"severityValue\":\"WARNING\",\"message\":\"\\\"Detected unrecognized USB driver (\\\\Driver\\\\USBPcap).\\\"\"},\"eventdata\":{\"binary\":\"00000000020028000000000000000080000000000000000000000000000000000000000000000000\",\"data\":\"\\\\\\\\Device\\\\\\\\hcmon, \\\\\\\\Driver\\\\\\\\USBPcap\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"hcmon","eventID":"0","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2022-09-26T17:23:12.5019126Z","eventRecordID":"126950","processID":"4","threadID":"12964","channel":"System","computer":"nb16032201.bepsa.com.py","severityValue":"WARNING","message":"\"Detected unrecognized USB driver (\\Driver\\USBPcap).\""},"eventdata":{"binary":"00000000020028000000000000000080000000000000000000000000000000000000000000000000","data":"\\\\Device\\\\hcmon, \\\\Driver\\\\USBPcap"}}},"location":"EventChannel"}
I did config my local policy directive, and ossec.conf to listen to Event ID 6416...
Aditya Sharma
Sep 28, 2022, 12:16:30 AM9/28/22
to Wazuh mailing list
Hi Vahr, Sorry for the late response!
If the logs are coming in archives.json and they are not showing in the Kibana UI or in alerts.json, then I guess you need to create the custom decoders & rules for them to see it in Kibana UI.
For that, you can follow this documentation once: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html & https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
I hope this helps you.
Regards
Aditya Sharma
If the logs are coming in archives.json and they are not showing in the Kibana UI or in alerts.json, then I guess you need to create the custom decoders & rules for them to see it in Kibana UI.
For that, you can follow this documentation once: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html & https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
I hope this helps you.
Aditya Sharma
Reply all
Reply to author
Forward
0 new messages