I have a batch script I wrote that could be used in replacement of
PowerShell...
@echo off
for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2"
get name /format:value') do ( set var=%%d
)
echo
dir /s %var% > C:\temp\test.txt
type C:\temp\test.txt
pause
The output is this went usb drives are available
Volume in drive F is F
Volume Serial Number is 2971-7DFC
Directory of F:\
08/11/2015 09:21 PM 12,836,794 38 Special - Caught Up In You.mp4
08/11/2015 09:21 PM 13,973,320 38 Special - Hold On Loosely.mp4
08/11/2015 09:14 PM 10,296,703 Alanis Morissette - Hand In My
Pocket.mp4
08/11/2015 09:15 PM 19,490,518 Alanis Morissette - Ironic OFFICIAL
VIDEO.mp4
08/11/2015 07:46 PM 10,015,763 All That Remains - Hold On.mp4
08/11/2015 07:46 PM 14,173,662 All That Remains - What If I Was
Nothing.mp4
08/11/2015 07:20 PM 14,071,850 Andy Grammer - Honey Im Good
Official Music Video.mp4
And this when none are inserted ( this being ran from my users Desktop
directory... ( was looking at running this .bat from the ossec agent side
bin) or a sub folder of that..
Volume in drive C has no label.
Volume Serial Number is 84F7-A037
Directory of C:\Program Files\ossec-agent\active-response\bin
04/20/2016 05:14 PM <DIR> .
04/20/2016 05:14 PM <DIR> ..
04/19/2016 05:30 PM 515 restart-ossec.cmd
04/19/2016 05:30 PM 1,520 route-null.cmd
04/20/2016 05:04 PM 215 usb.bat
3 File(s) 2,250 bytes
Total Files Listed:
3 File(s) 2,250 bytes
2 Dir(s) 860,057,559,040 bytes free
One of my concerns is that of getting this script info into the email
alerts as well as in ossecs host logs in order to search via keyword say
"usb" is ELSA... I am still not
totally up to speed on how this works..
On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote:
>
> Wonder if I could wrap it into a test.ps1 and execute threw <command>
> powershell.exe
> -noprofile -executionpolicy bypass -file .\test.ps1
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is
>> detected using Power shell..
>>
>> <localfile>
>> <log_format>full_command</log_format>
>> <command>powershell.exe -command "gwmi win32_diskdrive | select
>>
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> </command>
>> <frequency>300</frequency>
>> <alias>USBDevices</alias>
>> </localfile>
>>
>>
>> with the following rule in local_rules.xml
>> <rule id="503002" level="7">
>> <if_sid>530</if_sid>
>> <match>ossec: output: 'USBDevices'</match>
>> <check_diff />
>> <description>Mounted Device change detected</description>
>> </rule>
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>
>>
>> 2016 Apr 19 18:35:31
>>
>>
>>
>> Received From: (mis41) any->USBDevices
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>>
>> Portion of the log(s):
>>
>>
>>
>> ossec: output: 'USBDevices':
>>
>> Model : TOSHIBA DT01ACA100 SCSI Disk Device
>>
>> InterfaceType : IDE
>>
>> serialnumber : 359ZMW6MS
>>
>> Size : 1000202273280
>>
>> MediaType : Fixed hard disk media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART
>> Notification}
>>
>> Model : Verbatim STORE N GO USB Device
>>
>> InterfaceType : USB
>>
>> serialnumber : AA00000000000489
>>
>> Size : 16022845440
>>
>> MediaType : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>> edia}
>>
>> Model : Verbatim STORE N GO USB Device
>>
>> InterfaceType : USB
>>
>> serialnumber : AA00000000000489
>>
>> Size : 16022845440
>>
>> MediaType : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>
>>
>>
>>
>>
>>
>> --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive
>> -recurse
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> Mode LastWriteTime Length Name
>>
>> ---- ------------- ------ ----
>>
>> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe
>>
>> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe
>>
>>
>>
>> Directory: E:\
>>
>>
>> Mode LastWriteTime Length Name
>>
>> ---- ------------- ------ ----
>>
>> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe
>>
>> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe
>>
>> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log
>>
>> I have been attempting to get the above USB recursive file lists
>> into a USB detection report but have not had any success as of yet using
>> the above command instead of the first like below.
>>
>>
>>
>> <localfile>
>> <log_format>full_command</log_format>
>> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"</command>
>> <frequency>300</frequency>
>> <alias>USBDevices</alias>
>> </localfile>
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
