Ok, this seems to work better on the Ad network with the Powershell lock down we have at work at the moment..
<rule id="503002" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'USB-Audit'</match> <check_diff /> <description>USB Connected - Current Session Information</description> </rule> <localfile> <log_format>full_command</log_format> <command>C:\Admin_Tools\USB_Audit\ps-usb.bat</command> <frequency>60</frequency> <alias>USB-Audit</alias> </localfile> ps-usb.bat @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\usb.txt type C:\temp\usb.txt end The output I get from this in email alerts is this OSSEC HIDS Notification. 2016 Apr 21 19:47:54 Received From: (mis41) any->USB-Audit Rule: 503002 fired (level 7) -> "USB Connected - Current Session Information" Portion of the log(s): ossec: output: 'USB-Audit': ECHO is off. Volume in drive E is 2_4_2-32-I5 Volume Serial Number is 4086-B0A1 Directory of E:\ 12/06/2011 10:51 AM 388,608 HijackThis.exe 03/04/2016 03:44 PM 22,908,888 mbam-setup-2.2.0.1024.exe 03/04/2016 03:46 PM 9,524 hijackthis.log 04/11/2016 03:08 PM 139 report.txt 03/30/2016 10:34 AM 545,957 Screenshot - 03302016 - 03%3A34%3A52 PM.png 02/10/2016 09:16 AM 72,176 Signage-Server.docx 11/14/2013 12:26 PM 557 add-printer.bat 02/29/2016 04:12 PM 406 ChatLog Meet Now 2016_02_29 15_12.rtf 04/18/2016 12:50 PM 319 dsafsadf 04/14/2016 04:02 PM 11,990 Management Interface10.docx 04/14/2016 04:01 PM 50,589 netscan.xml 11/03/2015 03:56 PM 10,846 Old Equipmentlist.xlsx 02/29/2016 03:01 PM 26,112 OneLink_Server_IP Schema all in one.xls 13 File(s) 24,026,111 bytes Directory of E:\System Volume Information --END OF NOTIFICATION On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > with the following rule in local_rules.xml > <rule id="503002" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'USBDevices'</match> > <check_diff /> > <description>Mounted Device change detected</description> > </rule> > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber : 359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > Mode LastWriteTime Length Name > > ---- ------------- ------ ---- > > -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe > > -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > Mode LastWriteTime Length Name > > ---- ------------- ------ ---- > > -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe > > -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe > > -a--- 03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.