I have a basic Windows agent setting to alert me when a storage device is
detected using Power shell..
<localfile>
<log_format>full_command</log_format>
<command>powershell.exe -command "gwmi win32_diskdrive | select
Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions
>
C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
</command>
<frequency>300</frequency>
<alias>USBDevices</alias>
</localfile>
with the following rule in local_rules.xml
<rule id="503002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'USBDevices'</match>
<check_diff />
<description>Mounted Device change detected</description>
</rule>
Of course I get this alert which is nice for basic logging..
OSSEC HIDS Notification.
2016 Apr 19 18:35:31
Received From: (mis41) any->USBDevices
Rule: 503002 fired (level 7) -> "Mounted Device change detected"
Portion of the log(s):
ossec: output: 'USBDevices':
Model : TOSHIBA DT01ACA100 SCSI Disk Device
InterfaceType : IDE
serialnumber : 359ZMW6MS
Size : 1000202273280
MediaType : Fixed hard disk media
CapabilityDescriptions : {Random Access, Supports Writing, SMART
Notification}
Model : Verbatim STORE N GO USB Device
InterfaceType : USB
serialnumber : AA00000000000489
Size : 16022845440
MediaType : Removable Media
CapabilityDescriptions : {Random Access, Supports Writing, Supports
Removable M
edia}
Model : Verbatim STORE N GO USB Device
InterfaceType : USB
serialnumber : AA00000000000489
Size : 16022845440
MediaType : Removable Media
CapabilityDescriptions : {Random Access, Supports Writing, Supports
Removable M
--END OF NOTIFICATION
I was playing around with Powershell and have a optional command to print
out USB storage device files recursively...
powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse
> C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
this gives me this output in a tmp.txt if ran from a powershell window and
or run line.
Directory: F:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe
-a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe
Directory: E:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 12/06/2011 9:51 AM 388608 HijackThis.exe
-a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe
-a--- 03/04/2016 2:46 PM 9524 hijackthis.log
I have been attempting to get the above USB recursive file lists
into a USB detection report but have not had any success as of yet using
the above command instead of the first like below.
<localfile>
<log_format>full_command</log_format>
<command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
</command>
<frequency>300</frequency>
<alias>USBDevices</alias>
</localfile>
This gives me a empty C:\temp\test.txt file...
Any suggestions would be appreiciated...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
