Ok, here is my .Bat script I use to Check for & list files contained within
the usb drive. If no drive is detected the output file would not change
there for not causing
an alarm when the drive is removed.
@echo off
set host=%COMPUTERNAME%
for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
for %%c in (%%b) do (
for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
if %%d equ Removable (
for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host%
%%a %user% > C:\temp\usbstor.txt
echo Drive %%c is Removable (USB^)
dir /s %%c >> C:\temp\usbstor.txt
type C:\temp\usbstor.txt
)
)
)
)
Now in the Windows agent config is have the entry that would run the .Bat
script every so many minutes or seconds ( I have mine set for 30 seconds
for testing but 60 sec would be more
realistic.
<localfile>
<log_format>full_command</log_format>
<command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
<frequency>30</frequency>
<alias>USBDevices</alias>
</localfile>
On the Ossec server side I have this entry on the local_rules.xml
<rule id="503002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'USBDevices'</match>
<check_diff />
<description>Mounted Device change detected</description>
</rule>
After this I restart the Ossec server and agent wait a minute then insert a
usb drive. I get a email alert similar to this:
OSSEC HIDS Notification.
2016 Apr 28 15:11:29
Received From: (mis41) any->USBDevices
Rule: 503002 fired (level 7) -> "Mounted Device change detected"
Portion of the log(s):
ossec: output: 'USBDevices':
Drive F:\ is Removable (USB)
MIS41 10.18.100.24
Volume in drive F is OS
Volume Serial Number is 642E-1FF6
Directory of F:\
11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe
12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe
2 File(s) 420,707,840 bytes
Directory of F:\System Volume Information
11/05/2015 08:56 AM <DIR> .
11/05/2015 08:56 AM <DIR> ..
11/05/2015 08:56 AM 76 IndexerVolumeGuid
01/13/2016 02:41 PM 12 WPSettings.dat
2 File(s) 88 bytes
Total Files Listed:
4 File(s) 420,707,928 bytes
2 Dir(s) 3,328,983,040 bytes free
Previous output:
ossec: output: 'USBDevices':
--END OF NOTIFICATION
In Squert I can see this:
On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is
> detected using Power shell..
>
> <localfile>
> <log_format>full_command</log_format>
> <command>powershell.exe -command "gwmi win32_diskdrive | select
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions
> >
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> </command>
> <frequency>300</frequency>
> <alias>USBDevices</alias>
> </localfile>
>
>
> with the following rule in local_rules.xml
> <rule id="503002" level="7">
> <if_sid>530</if_sid>
> <match>ossec: output: 'USBDevices'</match>
> <check_diff />
> <description>Mounted Device change detected</description>
> </rule>
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>
>
> 2016 Apr 19 18:35:31
>
>
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>
>
> ossec: output: 'USBDevices':
>
> Model : TOSHIBA DT01ACA100 SCSI Disk Device
>
> InterfaceType : IDE
>
> serialnumber : 359ZMW6MS
>
> Size : 1000202273280
>
> MediaType : Fixed hard disk media
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART
> Notification}
>
> Model : Verbatim STORE N GO USB Device
>
> InterfaceType : USB
>
> serialnumber : AA00000000000489
>
> Size : 16022845440
>
> MediaType : Removable Media
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports
> Removable M
>
> edia}
>
> Model : Verbatim STORE N GO USB Device
>
> InterfaceType : USB
>
> serialnumber : AA00000000000489
>
> Size : 16022845440
>
> MediaType : Removable Media
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports
> Removable M
>
>
>
>
>
>
>
> --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive
> -recurse
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and
> or run line.
>
>
> Directory: F:\
>
>
> Mode LastWriteTime Length Name
>
> ---- ------------- ------ ----
>
> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe
>
> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe
>
>
>
> Directory: E:\
>
>
> Mode LastWriteTime Length Name
>
> ---- ------------- ------ ----
>
> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe
>
> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe
>
> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists
> into a USB detection report but have not had any success as of yet using
> the above command instead of the first like below.
>
>
>
> <localfile>
> <log_format>full_command</log_format>
> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> </command>
> <frequency>300</frequency>
> <alias>USBDevices</alias>
> </localfile>
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
