I have a basic Windows agent setting to alert me when a storage device is detected using Power shell..
<localfile> <log_format>full_command</log_format> <command>powershell.exe -command "gwmi win32_diskdrive | select Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" </command> <frequency>300</frequency> <alias>USBDevices</alias> </localfile> with the following rule in local_rules.xml <rule id="503002" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'USBDevices'</match> <check_diff /> <description>Mounted Device change detected</description> </rule> Of course I get this alert which is nice for basic logging.. OSSEC HIDS Notification. 2016 Apr 19 18:35:31 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Model : TOSHIBA DT01ACA100 SCSI Disk Device InterfaceType : IDE serialnumber : 359ZMW6MS Size : 1000202273280 MediaType : Fixed hard disk media CapabilityDescriptions : {Random Access, Supports Writing, SMART Notification} Model : Verbatim STORE N GO USB Device InterfaceType : USB serialnumber : AA00000000000489 Size : 16022845440 MediaType : Removable Media CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M edia} Model : Verbatim STORE N GO USB Device InterfaceType : USB serialnumber : AA00000000000489 Size : 16022845440 MediaType : Removable Media CapabilityDescriptions : {Random Access, Supports Writing, Supports Removable M --END OF NOTIFICATION I was playing around with Powershell and have a optional command to print out USB storage device files recursively... powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) this gives me this output in a tmp.txt if ran from a powershell window and or run line. Directory: F:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe Directory: E:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe -a--- 03/04/2016 2:46 PM 9524 hijackthis.log I have been attempting to get the above USB recursive file lists into a USB detection report but have not had any success as of yet using the above command instead of the first like below. <localfile> <log_format>full_command</log_format> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" </command> <frequency>300</frequency> <alias>USBDevices</alias> </localfile> This gives me a empty C:\temp\test.txt file... Any suggestions would be appreiciated... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.