Detect USB Storage
673 views
Skip to first unread message
Renan Rivera
Jun 22, 2022, 11:02:54 PM6/22/22
to Wazuh mailing list
Hello All,
I am trying to configure how to detect USB storage and it's been a while and testing it but still not detecting once I plug-in a USB storage in all of the agents.
My wazuh version is 4.3.3 which I upgraded from 4.2.
The following are the steps that I made, please advise if I have missed something.
1. In the wazuh manager server I enabled wazuh_command.remote_commands=1 by adding the following line to the /var/ossec/etc/local_internal_options.conf.
2. I set all the agents group to default.
3. I configure the /var/ossec/etc/shared/default/agent.conf with the following command:
<agent_config os="Windows">
<localfile>
<log_format>full_command</log_format>
<command>reg QUERYHKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile>
</agent_config>
4. Created the rule in local_rule with the following command:
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>New USB device connected</description>
</rule>
5. Restart wazuh-manager:
systemctl restart wazuh-manager
systemctl restart wazuh-manager
Is there anything I missed? Your help is highly appreciated.
Have a nice day.
Thank you,
Renan
Christian Borla
Jun 23, 2022, 4:10:43 PM6/23/22
to Wazuh mailing list
Hi Renan!
I hope you are doing fine!
I did some test in different section of your steps by steps configuration, and found some interesting things.
In a Windows box I added a <localfile> configuration, but with some changes, a space between 'QUERY HKLM' in <command> section, and also added a <frequency> label, which indicates how often the command will fires.
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
After this changes I restarted the Wazuh agent, and I had events in archive.json file in Wazuh server side.
/var/ossec/logs/archives/archives.json
Event generated:
{"timestamp":"2022-06-23T16:33:49.985-0300","agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656012829.4212515","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","decoder":{"name":"ossec"},"location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
Then I created the custom rule without the <check_diff /> section to fires every event, just for to be sure if the rule is working.
<description>New USB device connected</description>
</rule>
/var/ossec/logs/alerts/alerts.json
{"timestamp":"2022-06-23T16:53:25.414-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":2,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656014005.4272785","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","decoder":{"name":"ossec"},"location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
And finally I tested with <check_diff /> option, I added a new USB storage device and it works! It only fires when the command message changes.
<check_diff />
<description>New USB device connected</description>
</rule>
Alert generated:
{"timestamp":"2022-06-23T17:00:55.834-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":1,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656014455.4328292","previous_output":"Previous output:\nossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
It took some seconds to trigger but it's working.
Let me know if this information is useful to you,
Regards!
I hope you are doing fine!
I did some test in different section of your steps by steps configuration, and found some interesting things.
In a Windows box I added a <localfile> configuration, but with some changes, a space between 'QUERY HKLM' in <command> section, and also added a <frequency> label, which indicates how often the command will fires.
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
After this changes I restarted the Wazuh agent, and I had events in archive.json file in Wazuh server side.
/var/ossec/logs/archives/archives.json
Event generated:
{"timestamp":"2022-06-23T16:33:49.985-0300","agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656012829.4212515","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","decoder":{"name":"ossec"},"location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
Then I created the custom rule without the <check_diff /> section to fires every event, just for to be sure if the rule is working.
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY HKLM</match><if_sid>530</if_sid>
<description>New USB device connected</description>
</rule>
/var/ossec/logs/alerts/alerts.json
{"timestamp":"2022-06-23T16:53:25.414-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":2,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656014005.4272785","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","decoder":{"name":"ossec"},"location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
And finally I tested with <check_diff /> option, I added a new USB storage device and it works! It only fires when the command message changes.
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY HKLM</match><if_sid>530</if_sid>
<check_diff />
<description>New USB device connected</description>
</rule>
Alert generated:
{"timestamp":"2022-06-23T17:00:55.834-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":1,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-WIN","ip":"192.16.10.27"},"manager":{"name":"VBox"},"id":"1656014455.4328292","previous_output":"Previous output:\nossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","full_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR':\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00","location":"reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR"}
It took some seconds to trigger but it's working.
Let me know if this information is useful to you,
Regards!
Renan Rivera
Jun 24, 2022, 2:40:39 AM6/24/22
to Christian Borla, Wazuh mailing list
Hello Christian,
Thank you for looking into my issue, I really appreciate it.
On my end, I follow your suggestion, but I failed to produced a logs from usb-storage detection.
The following are the steps that I did.
1. Added a space between QUERY HKLM'
2. Added a <frequency> label
Thank you for looking into my issue, I really appreciate it.
On my end, I follow your suggestion, but I failed to produced a logs from usb-storage detection.
The following are the steps that I did.
1. Added a space between QUERY HKLM'
2. Added a <frequency> label
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
4. Restart wazuh-manager
5. Checked the logs on /var/ossec/logs/archives/archives.json but the json file is not existing but there is archives.log. I checked the archives.log and it is empty when
I test with a usb connecting to the machine.
6. Modified the rule with the following lines:
5. Checked the logs on /var/ossec/logs/archives/archives.json but the json file is not existing but there is archives.log. I checked the archives.log and it is empty when
I test with a usb connecting to the machine.
6. Modified the rule with the following lines:
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY HKLM</match>
<check_diff />
<description>New USB device connected</description>
</rule>
7. Restart wazuh-manager
I wonder what's missing or wrong with my configuration. May I know what version of wazuh you are using?
Attached are the screenshot of my configuration on local_rules and agent.conf.
Thanks a lot Christian, I hope I can replicate your testing.
Warm Regards,
Renan
I wonder what's missing or wrong with my configuration. May I know what version of wazuh you are using?
Attached are the screenshot of my configuration on local_rules and agent.conf.
Thanks a lot Christian, I hope I can replicate your testing.
Warm Regards,
Renan
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/okgw_4U_J6k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d1dfa904-7761-4742-bdce-5151dd7a9282n%40googlegroups.com.
Christian Borla
Jun 24, 2022, 8:50:10 AM6/24/22
to Wazuh mailing list
Hi Renan!
You are welcome! I hope you are doing fine.
I'm use wazuh version 4.3.3, but in any 4.x version should works.
I think we can test each step by parts. This command configuration works on Windows agents, I guess 'lsusb' is te command for linux.
If it's possible run on powershell the command and check if it's working.
my example on powershell
PS C:\Users\win> reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
if it's everything ok, open the ossec.conf file on Windows Agent side and add manually the localfile section.
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
Restart the agent, and look for QUERY
HKLM commands/events in /var/ossec/logs/archives/archives.json on Wazuh manager side.
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
To apply this restar Wazuh manager.
Please check this configuration manually, ones it works, we will make it works with Centralized Configuration (agent.conf file).
Let me know if that works!
Regards!
You are welcome! I hope you are doing fine.
I'm use wazuh version 4.3.3, but in any 4.x version should works.
I think we can test each step by parts. This command configuration works on Windows agents, I guess 'lsusb' is te command for linux.
If it's possible run on powershell the command and check if it's working.
my example on powershell
PS C:\Users\win> reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
if it's everything ok, open the ossec.conf file on Windows Agent side and add manually the localfile section.
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
To apply this restar Wazuh manager.
Please check this configuration manually, ones it works, we will make it works with Centralized Configuration (agent.conf file).
Let me know if that works!
Regards!
Renan Rivera
Jun 26, 2022, 8:58:16 PM6/26/22
to Christian Borla, Wazuh mailing list
Hello Christian,
Sorry for the late reply, thanks again for your help :).
I test the steps on one of my agents and this is the only message that I get. Note that when I plug and unplug the storage the same result appears.
PS C:\Users\renan.r> reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_VendorCo&Prod_ProductCode&Rev_2.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_VendorCo&Prod_ProductCode&Rev_2.00
I think this might be the reason why I have no logs, Is there anything to configure on the windows settings?
I continue the steps and insert the following line to the ossec.conf of the agent then restart the wazuh-manager
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<frequency>30</frequency>
</localfile>
Then I enable the archive.json in /var/ossec/etc/ossec.conf, with that I can now see the json file.
Thank you Christian for your time, I really appreciate it.
Regards,
Renan
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ef79e73b-2b3e-497b-ac8f-d9ae4d399139n%40googlegroups.com.
Christian Borla
Jun 27, 2022, 2:51:35 PM6/27/22
to Wazuh mailing list
I renan
I hope you are doing fine!!
Good to know that now archive.json file contains some events.
The problem is command reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR only insert a new devide in the list, it doesn't remove the device in the list, it's a history flash drives plugged in. Try with different flash drivers an it will trigger with any new device, the advanteage of this command is, it never lose a registered flash drive.
Also I did a new research, and found that it's possible use another command line.
Add following configuration on your agent ossec.conf file:
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
This command shows in real time pluged Disk Drives, it also trigger an alert if the flash drive is removed. The problem is how often the command fires. if the flash Drive is plugged and removed before frequency configuration (30 seconds in our case) it will never trigger an alert.
It's necessary create a new custom rule to this command.
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
And also it works with <check_diff /> option.
An example alert
{"timestamp":"2022-06-27T15:31:18.710-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":3,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-","ip":"192.16.10.8"},"manager":{"name":"VBox"},"id":"1656354678.142043","previous_output":"Previous output:\nossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","full_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\n","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","location":"powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\""}
I think this is really good feature to use!
Let me know if it works for you.
Regards!
I hope you are doing fine!!
Good to know that now archive.json file contains some events.
The problem is command reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR only insert a new devide in the list, it doesn't remove the device in the list, it's a history flash drives plugged in. Try with different flash drivers an it will trigger with any new device, the advanteage of this command is, it never lose a registered flash drive.
Also I did a new research, and found that it's possible use another command line.
Add following configuration on your agent ossec.conf file:
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
This command shows in real time pluged Disk Drives, it also trigger an alert if the flash drive is removed. The problem is how often the command fires. if the flash Drive is plugged and removed before frequency configuration (30 seconds in our case) it will never trigger an alert.
It's necessary create a new custom rule to this command.
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
And also it works with <check_diff /> option.
An example alert
{"timestamp":"2022-06-27T15:31:18.710-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":3,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-","ip":"192.16.10.8"},"manager":{"name":"VBox"},"id":"1656354678.142043","previous_output":"Previous output:\nossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","full_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\n","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","location":"powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\""}
I think this is really good feature to use!
Let me know if it works for you.
Regards!
Renan Rivera
Jun 27, 2022, 8:18:53 PM6/27/22
to Christian Borla, Wazuh mailing list
Hello Christian,
Good Day!
Good News, I can now see the logs when USB is inserted to the agent, this is great!
/var/ossec/logs/archives/archives.json
{"timestamp":"2022-06-28T07:48:52.426+0800","agent":{"id":"001","name":"IT-078A-Renan","ip":"10.6.4.18"},"manager":{"name":"localhost.localdomain"},"id":"1656373732.10947663","cluster":{"name":"wazuh","node":"wzh_master"},"full_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive VendorCo ProductCode USB Device USBSTOR\\...\nOK DiskDrive WDC WD10EZEX-60WN4A0 SCSI\\DIS...\nOK DiskDrive KINGSTON SA400S37120G SCSI\\DIS...\n","decoder":{"name":"ossec"},"location":"powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\""}
And I can now see the event in the dashboard.
Your AMAZING Christian, I thought I will just give up failing to enable this option but thanks for the usual support, I really appreciate your help.
Agreed about this feature of wazuh on usb detection. This is helpful if your organization restricts the use of usb flash drives :)
Warm Regards,
Renan
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37722d13-56b8-438e-90ce-4a4401faae5cn%40googlegroups.com.
Christian Borla
Jun 28, 2022, 12:53:50 PM6/28/22
to Wazuh mailing list
Hi renan!
Great!!! you are welcome!
Great!!! you are welcome!
Ahmad Quryshi
Dec 24, 2022, 12:48:53 PM12/24/22
to Wazuh mailing list
Thanks, Dear Renan and
Christian. You both do a great job.
Tell me How I can see the event of USB on the Dashboard
Thanks
Regards Ahmad Hassan
Christian Borla
Dec 26, 2022, 1:33:45 PM12/26/22
to Wazuh mailing list
Hi Ahmad Hassan!
Ones you have configured agent side data collection and manager rule, the alert should be shown on alert.json file, then the filebet consume that alert and sent to the indexer, and dasboard can consume from it.
Windows Agent configuration:
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
Manager rule to add on /var/ossec/etc/rules/local_rules.xml
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
{"timestamp":"2022-06-27T15:31:18.710-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":3,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-","ip":"192.16.10.8"},"manager":{"name":"VBox"},"id":"1656354678.142043","previous_output":"Previous output:\nossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","full_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\n","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","location":"powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\""}
Ones you have configured agent side data collection and manager rule, the alert should be shown on alert.json file, then the filebet consume that alert and sent to the indexer, and dasboard can consume from it.
Windows Agent configuration:
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
<description>New USB device connected</description>
</rule>
After those changes restart the agent and the manager. Plug an USB device in agent side, wait 30 seconds, and alert should be generated, look for it on /var/ossec/logs/alerts/alerts.json
Should looks like
Should looks like
{"timestamp":"2022-06-27T15:31:18.710-0300","rule":{"level":7,"description":"New USB device connected","id":"140125","firedtimes":3,"mail":false,"groups":["hp","custom"]},"agent":{"id":"004","name":"DESKTOP-","ip":"192.16.10.8"},"manager":{"name":"VBox"},"id":"1656354678.142043","previous_output":"Previous output:\nossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","full_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\n","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\"':\nStatus Class FriendlyName InstanceId \n------ ----- ------------ ---------- \nOK DiskDrive KINGSTON OM8PCP3512F-AB SCSI\\DIS...\nOK DiskDrive SanDisk Cruzer Blade USB Device USBSTOR\\...\n","location":"powershell \"Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }\""}
Then filebeat will send this alert to the indexer and it will available on the dashboard.
Let me know if that works.
Regards.
Let me know if that works.
Regards.
Massimiliano De Falco
Jan 12, 2023, 9:19:50 AM1/12/23
to Wazuh mailing list
Good morning to all. I'm interested to this post.
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
I have configured the agent.conf file:
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<frequency>10800</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">C:\\Users</directories>
<ignore>C:\\Users\\%USERNAME%\\appdata</ignore>
</syscheck>
<!-- Shared agent configuration here -->
<syscheck>
<frequency>10800</frequency>
<directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes">C:\\Users</directories>
<ignore>C:\\Users\\%USERNAME%\\appdata</ignore>
</syscheck>
<localfile>
<log_format>full_command</log_format>
<command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
<frequency>30</frequency>
</localfile>
</agent_config>
and the local_rules.xml:
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100010" level="0">
<program_name>USER_logged</program_name>
<description>User logged</description>
</rule>
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100010" level="0">
<program_name>USER_logged</program_name>
<description>User logged</description>
</rule>
<rule id="140126" level="7">
<if_sid>530</if_sid>
<match type="pcre2">ossec: output:.*?Get-PnpDevice</match>
<check_diff />
<description>New USB device connected</description>
</rule>
</group>
but no
/var/ossec/logs/archives/archives.json file is created and no USB timestamp in /var/ossec/logs/alerts/alerts.json.
What can I do? Thanks.
Reply all
Reply to author
Forward
0 new messages