I have a batch script I wrote that could be used in replacement of PowerShell... @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\test.txt type C:\temp\test.txt
pause The output is this went usb drives are available Volume in drive F is F Volume Serial Number is 2971-7DFC Directory of F:\ 08/11/2015 09:21 PM 12,836,794 38 Special - Caught Up In You.mp4 08/11/2015 09:21 PM 13,973,320 38 Special - Hold On Loosely.mp4 08/11/2015 09:14 PM 10,296,703 Alanis Morissette - Hand In My Pocket.mp4 08/11/2015 09:15 PM 19,490,518 Alanis Morissette - Ironic OFFICIAL VIDEO.mp4 08/11/2015 07:46 PM 10,015,763 All That Remains - Hold On.mp4 08/11/2015 07:46 PM 14,173,662 All That Remains - What If I Was Nothing.mp4 08/11/2015 07:20 PM 14,071,850 Andy Grammer - Honey Im Good Official Music Video.mp4 And this when none are inserted ( this being ran from my users Desktop directory... ( was looking at running this .bat from the ossec agent side bin) or a sub folder of that.. Volume in drive C has no label. Volume Serial Number is 84F7-A037 Directory of C:\Program Files\ossec-agent\active-response\bin 04/20/2016 05:14 PM <DIR> . 04/20/2016 05:14 PM <DIR> .. 04/19/2016 05:30 PM 515 restart-ossec.cmd 04/19/2016 05:30 PM 1,520 route-null.cmd 04/20/2016 05:04 PM 215 usb.bat 3 File(s) 2,250 bytes Total Files Listed: 3 File(s) 2,250 bytes 2 Dir(s) 860,057,559,040 bytes free One of my concerns is that of getting this script info into the email alerts as well as in ossecs host logs in order to search via keyword say "usb" is ELSA... I am still not totally up to speed on how this works.. On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote: > > Wonder if I could wrap it into a test.ps1 and execute threw <command> > powershell.exe > -noprofile -executionpolicy bypass -file .\test.ps1 > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> </command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> with the following rule in local_rules.xml >> <rule id="503002" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'USBDevices'</match> >> <check_diff /> >> <description>Mounted Device change detected</description> >> </rule> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber : 359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe >> >> >> >> Directory: E:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe >> >> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log >> >> I have been attempting to get the above USB recursive file lists >> into a USB detection report but have not had any success as of yet using >> the above command instead of the first like below. >> >> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume - >> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem >> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select - >> Skip 2)"</command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> This gives me a empty C:\temp\test.txt file... >> >> >> Any suggestions would be appreiciated... >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.