Issue Monitoring USB drives in Windows

[mcarn...@nextel.es]

Hello again!

We have checked our rules that where working perfectly regarding the monitorization of USB drives in Windows. We followed the steps described in your blog entry and they were working as expected.

Yesterday we checked again the rules and we realized they are not working anymore. The wazuh manager version is the last one, 3.8.2, the same as the wazuh agent The rules are:

<rule id="100002" level="5">

<if_sid>18104</if_sid>

<id>^6416$</id>

<list field="usb.serial_number" lookup="match_key">etc/lists/usb-devices</list>

<description>Authorized PNP device connected.</description>

</rule>

<rule id="100003" level="10">

<if_sid>18104</if_sid>

<id>^6416$</id>

<list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list>

<description>Unauthorized PNP device connected.</description>

</rule>

We also have the corresponding decoder:

<decoder name="windows_fields">

<type>windows</type>

<parent>windows</parent>

<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

Taking into account that now the data send back by the Wazuh agent has changed it's format and the presence of a internal json decoder we add a new rule

<rule id="100044" level="12">

<if_sid>20001</if_sid>

<field name="EventChannel.System.ProviderName">Microsoft-Windows-Security-Auditing</field>

<field name="EventChannel.System.EventID">6416</field>

<description>External device connected</description>

</rule>

to at least to know that an external device is connected.

The input received from the wazuh agent and registered into the archives.log by the wazuh manager is:

2019 Apr 10 10:26:40 (WIN_166) 192.168.15.166->EventChannel {"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","EventID":"6416","Version":"1","Level":"0","Task":"13316","Opcode":"0","Keywords":"0x8020000000000000","SystemTime":"2019-04-10T10:27:29.598582700Z","EventRecordID":"2840","ProcessID":"4","ThreadID":"4312","Channel":"Security","Computer":"DESKTOP-DJ7F955","SeverityValue":"AUDIT_SUCCESS","Message":"A new external device was recognized by the system."},"EventData":{"SubjectUserSid":"S-1-5-18","SubjectUserName":"DESKTOP-DJ7F955$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","DeviceId":"SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100#0411150000016636&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","DeviceDescription":"USB MALWARE","ClassId":"{EEC5AD98-8080-425F-922A-DABF3DE3F69A}","ClassName":"WPD","VendorIds":"-","CompatibleIds":"wpdbusenum\\fsSWD\\Generic","LocationInformation":"-"}}}

It is registered also in the archives.json file as:

{"timestamp":"2019-04-10T10:26:40.47+0000","agent":{"id":"002","name":"WIN_166","ip":"192.168.15.166"},"manager":{"name":"wazuh-arm"},"id":"1554892000.13085","full_log":"{\"EventChannel\":{\"System\":{\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"EventID\":\"6416\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13316\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"SystemTime\":\"2019-04-10T10:27:29.598582700Z\",\"EventRecordID\":\"2840\",\"ProcessID\":\"4\",\"ThreadID\":\"4312\",\"Channel\":\"Security\",\"Computer\":\"DESKTOP-DJ7F955\",\"SeverityValue\":\"AUDIT_SUCCESS\",\"Message\":\"A new external device was recognized by the system.\"},\"EventData\":{\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"DESKTOP-DJ7F955$\",\"SubjectDomainName\":\"WORKGROUP\",\"SubjectLogonId\":\"0x3e7\",\"DeviceId\":\"SWD\\\\WPDBUSENUM\\\\_??_USBSTOR#Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100#0411150000016636&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\",\"DeviceDescription\":\"USB MALWARE\",\"ClassId\":\"{EEC5AD98-8080-425F-922A-DABF3DE3F69A}\",\"ClassName\":\"WPD\",\"VendorIds\":\"-\",\"CompatibleIds\":\"wpdbusenum\\\\fsSWD\\\\Generic\",\"LocationInformation\":\"-\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","EventID":"6416","Version":"1","Level":"0","Task":"13316","Opcode":"0","Keywords":"0x8020000000000000","SystemTime":"2019-04-10T10:27:29.598582700Z","EventRecordID":"2840","ProcessID":"4","ThreadID":"4312","Channel":"Security","Computer":"DESKTOP-DJ7F955","SeverityValue":"AUDIT_SUCCESS","Message":"A new external device was recognized by the system."},"EventData":{"SubjectUserSid":"S-1-5-18","SubjectUserName":"DESKTOP-DJ7F955$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","DeviceId":"SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100#0411150000016636&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","DeviceDescription":"USB MALWARE","ClassId":"{EEC5AD98-8080-425F-922A-DABF3DE3F69A}","ClassName":"WPD","VendorIds":"-","CompatibleIds":"wpdbusenum\\fsSWD\\Generic","LocationInformation":"-"}}},"location":"EventChannel"}

Beautified the json register we could see easier the field values we used to write down the rule.

{

"timestamp": "2019-04-10T10:26:40.47+0000",

"agent": { "id": "002", "name": "WIN_166", "ip": "192.168.15.166" },

"manager": { "name": "wazuh-arm" },

"id": "1554892000.13085",

"full_log": "{\"EventChannel\":{\"System\":{\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"EventID\":\"6416\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13316\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"SystemTime\":\"2019-04-10T10:27:29.598582700Z\",\"EventRecordID\":\"2840\",\"ProcessID\":\"4\",\"ThreadID\":\"4312\",\"Channel\":\"Security\",\"Computer\":\"DESKTOP-DJ7F955\",\"SeverityValue\":\"AUDIT_SUCCESS\",\"Message\":\"A new external device was recognized by the system.\"},\"EventData\":{\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"DESKTOP-DJ7F955$\",\"SubjectDomainName\":\"WORKGROUP\",\"SubjectLogonId\":\"0x3e7\",\"DeviceId\":\"SWD\\\\WPDBUSENUM\\\\_??_USBSTOR#Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100#0411150000016636&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\",\"DeviceDescription\":\"USB MALWARE\",\"ClassId\":\"{EEC5AD98-8080-425F-922A-DABF3DE3F69A}\",\"ClassName\":\"WPD\",\"VendorIds\":\"-\",\"CompatibleIds\":\"wpdbusenum\\\\fsSWD\\\\Generic\",\"LocationInformation\":\"-\"}}}",

"decoder": { "name": "windows_eventchannel" },

"data": {

"EventChannel": {

"System": {

"ProviderName": "Microsoft-Windows-Security-Auditing",

"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",

"EventID": "6416",

"Version": "1",

"Level": "0",

"Task": "13316",

"Opcode": "0",

"Keywords": "0x8020000000000000",

"SystemTime": "2019-04-10T10:27:29.598582700Z",

"EventRecordID": "2840",

"ProcessID": "4",

"ThreadID": "4312",

"Channel": "Security",

"Computer": "DESKTOP-DJ7F955",

"SeverityValue": "AUDIT_SUCCESS",

"Message": "A new external device was recognized by the system."

},

"EventData": {

"SubjectUserSid": "S-1-5-18",

"SubjectUserName": "DESKTOP-DJ7F955$",

"SubjectDomainName": "WORKGROUP",

"SubjectLogonId": "0x3e7",

"DeviceId": "SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&amp;Ven_General&amp;Prod_USB_Flash_Disk&amp;Rev_1100#0411150000016636&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}",

"DeviceDescription": "USB MALWARE",

"ClassId": "{EEC5AD98-8080-425F-922A-DABF3DE3F69A}",

"ClassName": "WPD",

"VendorIds": "-",

"CompatibleIds": "wpdbusenum\\fsSWD\\Generic",

"LocationInformation": "-"

}

}

},

"location": "EventChannel"

}

Any idea of what is happening or how we could solve it?

Best regards,

Manu Carnerero

[cris...@wazuh.com]

Hello Manu and sorry for the late response,

As you can see, the parent rule you are matching with ID 20001 is the following one:

<rule id="20001" level="0">

    <if_sid>20000</if_sid>

    <field name="EventChannel.System.SeverityValue">^INFORMATION</field>

    <description>Windows informational event</description>

    <options>no_full_log</options>

</rule>

Regarding the event you posted, the SeverityValue field is not INFORMATION, but AUDIT_SUCCESS, so instead of 20001 your parent rule should be 20004, which is the one for AUDIT_SUCCESS. The rule should be as follows:

<rule id="100044" level="12">

    <if_sid>20004</if_sid>

    <field name="EventChannel.System.ProviderName">Microsoft-Windows-Security-Auditing</field>
    <field name="EventChannel.System.EventID">6416</field>

    <description>External device connected</description>

</rule>

Tell me if this solved your problem and if you have any other questions. Kind regards, Cristina

[mcarn...@nextel.es]

Hello Cristina,

Thanks for your response. Now we are able to detect when a PNP device is plugged but not if the device is in a list of devices as it is done in the entry of your blog. 

Following blog entry instructions, we suppose that now the decoder entry should be update in any way

<decoder name="windows_fields">

<type>windows</type>

<parent>windows</parent>

<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

to be able to access to the serial number of the device.

Kind regards,

Manu

[cris...@wazuh.com]

Hi Manu,

Yes, in order to access to the device's serial number you should keep that configuration for your decoder. Let me know if you have any doubts left.

Best regards,

Cristina

[mcarn...@nextel.es]

Hi Cristina,

I suppose I'm doing something wrong because despite of I have decoder configurations in several places to obtain the usb serial number, it is not working. In the file 0006-json_decoders.xml I have included

<decoder name="pnp_device_id">

<parent>json</parent>

<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

<decoder name="pnp_device_id_2">

<parent>json</parent>

<regex>USBSTOR#Disk&amp;Ven_(\S*)&amp;Prod_(\S*)&amp;Rev_(\.*)#(\S*)&amp;0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

Also in file 0380-windows_decoders.xml I have included

<decoder name="windows_fields">

<type>windows</type>

<parent>windows</parent>

<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

<decoder name="windows_fields_2">

<type>windows</type>

<parent>windows</parent>

<regex>USBSTOR#Disk&amp;Ven_(\S*)&amp;Prod_(\S*)&amp;Rev_(\.*)#(\S*)&amp;0#\S*\s</regex>

<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>

</decoder>

When I launch the ossec-logtest It doesn't seem to do the decodification properly.

Best regards,

Manu 

[cris...@wazuh.com]

Hi Manu,

The decoder matching these Eventchannel events is an internal one, which means after decoding the events, these ones can't match with any other XML decoders. This indicates that the process you want to execute cannot be done at the time. This decoder will only let the rules match the entire DeviceId field, without the possibility of splitting it in vendor, product, rev and serial_number. Nevertheless, this is not impossible with Eventchannel, I have opened an issue that explains a way of doing this. The process is the following one:

- Eventchannel sends the event to analysisd, where it gets decoded in JSON format. Once the event is processed, it will contain the DeviceId field with all the mentioned fields in it.

- This JSON event will match a silent rule filtering by event ID 6416.

- The rule will pass the event to integratord, where a script will split all the fields contained in DeviceId and remove every other field that is not of an interest.

- Now that we have filtered by vendor, product, rev and serial_number, it can be either written to a localfile monitored by logcollector or sent directly to analysisd.

- It will match the JSON decoder and you will get the fields you need. Then you should be able to find these specific fields at your CDB lists by rules.

Although this is a possible solution, it is not implemented yet, so if you are in a hurry, you could keep using Eventlog, which will work with the decoder you made. Also if you have any doubts or have any proposal don't doubt to write us again. We will keep you informed about the state of the issue.

Kind regards,

Cristina