Monitoring USB drives in Windows using Wazuh not working

[Faisal wanth]

Hi team,

i tired to activate USB monitoring for wazuh on windows agent based on list check in order to define if any USB storage devise is authorized or not. I found a guide on wazuh blog that I followed 

https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/

i even modified 

<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>

TO 

<regex>USBSTOR#Disk\pVen_(\S*)\pProd_(\S*)\pRev_(\.*)#(\S*)\p0#\S*\s</regex>

as mentioned in 

https://groups.google.com/g/wazuh/c/sFlNML0civk

but still nothing seems to work

no alerts are being generated for inserted USB device

wazuh version: Wazuh v3.9.5.

Is there something that i am missing??? Please help

[Juan Nicolás Asselle]

Hi!

Could you please check using Event Viewer if the USB PNP event is being correctly generated? It should appear like the attached screenshot.

If events were correctly generated, we will check if they are arriving Wazuh Manager even they does not currently generating alerts. This could be easily done enabling logall option in ossec.conf, restarting the manager to apply the configuration, and searching in any appear of USBSTOR in manager’s archives.log by running tail -f /var/ossec/logs/archives/archives.log | grep USBSTOR and generating the event in the agent by connecting the USB Storage device. If any data appear means that event arrives correctly to manager and the problems is in the rules, otherwise there’s a problem in the agent and logs are not being sent to the manager.

Thank you and I wait for this information to move forward.
Regards,
Nico

​

[Faisal wanth]

Hi Juan,

Many thanks for your comments,

 I exactly followed the same procedure, but still it is not generating any alerts for the USB detection
even though '6416' events are getting triggered in windows machine but there are no logs in "alert.log" pertaining to this
event.


archives.log is displaying something like this.

but nothing in the alerts.logs:

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/417a9599-5b80-498e-8b24-ecdf2b5ee50an%40googlegroups.com.

[Juan Nicolás Asselle]

Hi!

Unfortunately the archives.log output that you attached is product of the grep command itself. Could you please tell me what version of Windows are you currently using? Also, could you please check in your agent’s ossec.conf if Security EventChannel is enabled?
I was able to receive event in the manager and it looks like the next example:

2021 Jan 27 04:15:09 (DESKTOP-0B4HOM2) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-01-27T04:15:09.4897900Z","eventRecordID":"10743","processID":"4","threadID":"304","channel":"Security","computer":"DESKTOP-0B4HOM2","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDESKTOP-0B4HOM2$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSB\\VID_0951&PID_1666\\60A44C413985BDC1200064CC\r\n\r\nDevice Name:\tUSB Mass Storage Device\r\n\r\nClass ID:\t\t{36fc9e60-c465-11cf-8056-444553540000}\r\n\r\nClass Name:\tUSB\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_0951&PID_1666&REV_0100\r\n\t\tUSB\\VID_0951&PID_1666\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_08&SubClass_06&Prot_50\r\n\t\tUSB\\Class_08&SubClass_06\r\n\t\tUSB\\Class_08\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0009.Hub_#0001\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"DESKTOP-0B4HOM2$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_0951&PID_1666\\\\60A44C413985BDC1200064CC","deviceDescription":"USB Mass Storage Device","classId":"{36fc9e60-c465-11cf-8056-444553540000}","className":"USB","vendorIds":"    USB\\\\VID_0951&PID_1666&REV_0100    USB\\\\VID_0951&PID_1666","compatibleIds":"    USB\\\\Class_08&SubClass_06&Prot_50    USB\\\\Class_08&SubClass_06    USB\\\\Class_08","locationInformation":"    Port_#0009.Hub_#0001"}}}
2021 Jan 27 04:15:09 (DESKTOP-0B4HOM2) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-01-27T04:15:09.4985605Z","eventRecordID":"10744","processID":"4","threadID":"304","channel":"Security","computer":"DESKTOP-0B4HOM2","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDESKTOP-0B4HOM2$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\60A44C413985BDC1200064CC&0\r\n\r\nDevice Name:\tKingston DataTraveler 3.0 USB Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tUSBSTOR\\DiskKingstonDataTraveler_3.0PMAP\r\n\t\tUSBSTOR\\DiskKingstonDataTraveler_3.0\r\n\t\tUSBSTOR\\DiskKingston\r\n\t\tUSBSTOR\\KingstonDataTraveler_3.0P\r\n\t\tKingstonDataTraveler_3.0P\r\n\t\tUSBSTOR\\GenDisk\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSBSTOR\\Disk\r\n\t\tUSBSTOR\\RAW\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"DESKTOP-0B4HOM2$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","deviceId":"USBSTOR\\\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\\\60A44C413985BDC1200064CC&0","deviceDescription":"Kingston DataTraveler 3.0 USB Device","classId":"{4d36e967-e325-11ce-bfc1-08002be10318}","className":"DiskDrive","vendorIds":"    USBSTOR\\\\DiskKingstonDataTraveler_3.0PMAP    USBSTOR\\\\DiskKingstonDataTraveler_3.0    USBSTOR\\\\DiskKingston    USBSTOR\\\\KingstonDataTraveler_3.0P    KingstonDataTraveler_3.0P    USBSTOR\\\\GenDisk    GenDisk","compatibleIds":"    USBSTOR\\\\Disk    USBSTOR\\\\RAW    GenDisk"}}}
2021 Jan 27 04:15:09 (DESKTOP-0B4HOM2) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-01-27T04:15:09.5074030Z","eventRecordID":"10745","processID":"4","threadID":"304","channel":"Security","computer":"DESKTOP-0B4HOM2","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDESKTOP-0B4HOM2$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSTORAGE\\Volume\\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C413985BDC1200064CC&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\r\n\r\nDevice Name:\tVolume\r\n\r\nClass ID:\t\t{71a27cdd-812a-11d0-bec7-08002be2092f}\r\n\r\nClass Name:\tVolume\r\n\r\nVendor IDs:\t\r\n\t\tSTORAGE\\Volume\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t-\r\n\r\nLocation Information:\t-\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"DESKTOP-0B4HOM2$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","deviceId":"STORAGE\\\\Volume\\\\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C413985BDC1200064CC&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","deviceDescription":"Volume","classId":"{71a27cdd-812a-11d0-bec7-08002be2092f}","className":"Volume","vendorIds":"    STORAGE\\\\Volume"}}}
2021 Jan 27 04:15:09 (DESKTOP-0B4HOM2) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-01-27T04:15:09.9135816Z","eventRecordID":"10746","processID":"4","threadID":"196","channel":"Security","computer":"DESKTOP-0B4HOM2","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDESKTOP-0B4HOM2$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSWD\\WPDBUSENUM\\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C413985BDC1200064CC&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\r\n\r\nDevice Name:\tE:\\\r\n\r\nClass ID:\t\t{eec5ad98-8080-425f-922a-dabf3de3f69a}\r\n\r\nClass Name:\tWPD\r\n\r\nVendor IDs:\t-\r\n\r\nCompatible IDs:\t\r\n\t\twpdbusenum\\fs\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"DESKTOP-0B4HOM2$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","deviceId":"SWD\\\\WPDBUSENUM\\\\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C413985BDC1200064CC&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","deviceDescription":"E:\\\\","classId":"{eec5ad98-8080-425f-922a-dabf3de3f69a}","className":"WPD","compatibleIds":"    wpdbusenum\\\\fs    SWD\\\\Generic"}}}

Thank you and I wait for this information to move forward.
Regards,
Nico

​

[Faisal wanth]

Hi Juan,

I was able to get some USB related data in archives.log

But i am not getting any USB alerts in alerts.log. This is my "windows-decoder" file snippet, is this the right configuration to proceed with or do i need to make some changes?

Windows-version:10

Thanks

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/sFXdMYgjYac/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/217df2da-5097-4b0d-9543-34860c5753b4n%40googlegroups.com.

[Juan Nicolás Asselle]

Hi!

First of all, sorry for the delay in the response. I was researching a bit about the article and trying to reproduce it, getting the conclusion that it will only works with EventLog. So, in order to make it work with EventChannel you should follow the next steps

• Getting USB Storage full DeviceID (check attached image)
  Right click on the desired USB Storage -> Properties -> Hardware (tab) -> Events. Copy the highlighted information, that’s will be our USB Storage ID

• Create CDB list
  In Wazuh Manager create the file /var/ossec/etc/lists/usb-devices with the ID obtained from last step and a human-readable description

USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\60A44C413985BDC1200064CC&0:Nico's USB Disk

NOTE: Please escape backslash by adding another backslash

Then run /var/ossec/bin/ossec-makelists to compile it.

• Add usb-devices CDB list to configuration

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/usb-devices</list>
    <list>etc/lists/list-IP</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

• Add custom rule in /var/ossec/etc/rules/local_rules.xml

<rule id="100002" level="5">
  <if_sid>60103</if_sid>
  <field name="win.system.eventID">^6416$</field>
  <description>Windows: Authorized PNP device connected.</description>
</rule>
<rule id="100003" level="7">
  <if_sid>100002</if_sid>
  <list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-devices</list>
  <description>Windows: Unauthorized PNP device connected.</description>
</rule>

• Restart Wazuh Manager

I hope this helps. If you have any other question, do not hesitate to ask.

Regards,
Nico

​

[Faisal wanth]

Hi Juan, 

Thanks alot for the go through, highly appreciated.

I followed the procedure, and thank god events started popping up in alerts.log file. But only the " Unauthorized PNP device connected" rule is getting triggered. Am I missing something?

alerts.log file:

 usb-devices: 

local-rules file:

ossec.conf :

windows-decoder.xml:

It is not taking into consideration CDB list that we created for USB device ID authorization. 

Do I need to make any changes for the windows-decoder?

Thanks,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af803f18-1f7d-4375-8186-786ff0b8d237n%40googlegroups.com.

[Víctor Ariel Hermosa Riveros]

What if I want to monitor all the USB devices connected or disconnected to the Windows Workstation? Will these configs work?

[Usama Rajput]

i just want my wazuh manager to detect the usb device with adding CDB list yet

how can i do that?