[ossec-list] Re: USB storage detect & recursive file list

2016-04-28 Thread Jacob Mcgrath 
And I get this in Squert on my Security Onion...




On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I use to Check for & list files contained 
> within the usb drive.  If no drive is detected the output file would not 
> change there for not causing
> an alarm when the drive is removed.
>
> @echo off
> set host=%COMPUTERNAME%
>
>
> for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
>for %%c in (%%b) do (
>   for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
>  if %%d equ Removable (
> for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo 
> %host% %%a %user% > C:\temp\usbstor.txt
> echo Drive %%c is Removable (USB^)
> dir /s %%c >> C:\temp\usbstor.txt
> type C:\temp\usbstor.txt
>  )
>   )
>)
> )
>
>
> Now in the Windows agent config is have the entry that would run the .Bat 
> script every so many minutes or seconds ( I have mine set for 30 seconds 
> for testing but 60 sec would be more 
> realistic.
>
> 
> full_command
> C:\Admin_Tools\USB_Audit\usb-audit.bat
> 30
> USBDevices
>   
>
> On the Ossec server side I have this entry on the local_rules.xml
>
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
> 
>
>
> After this I restart the Ossec server and agent wait a minute then insert 
> a usb drive.  I get a email alert similar to this:
>
> OSSEC HIDS Notification.
>
> 2016 Apr 28 15:11:29
>
>  
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>  
>
> ossec: output: 'USBDevices':
>
> Drive F:\ is Removable (USB)
>
> MIS41 10.18.100.24  
>
>  Volume in drive F is OS
>
>  Volume Serial Number is 642E-1FF6
>
>  Directory of F:\
>
> 11/06/2015  01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe
>
> 12/21/2014  10:27 AM   397,798,952 sp66051_driver-pack.exe
>
>2 File(s)420,707,840 bytes
>
>  Directory of F:\System Volume Information
>
> 11/05/2015  08:56 AM  .
>
> 11/05/2015  08:56 AM  ..
>
> 11/05/2015  08:56 AM76 IndexerVolumeGuid
>
> 01/13/2016  02:41 PM12 WPSettings.dat
>
>2 File(s) 88 bytes
>
>  Total Files Listed:
>
>4 File(s)420,707,928 bytes
>
>2 Dir(s)   3,328,983,040 bytes free
>
> Previous output:
>
> ossec: output: 'USBDevices':
>
>  
>
>  
>
>  
>
>  --END OF NOTIFICATION
>
> In Squert I can see this:
>
>
>
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select 
>> 
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType  : IDE 
>>
>> serialnumber   :359ZMW6MS 
>>
>> Size   : 1000202273280 
>>
>> MediaType  : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>  edia} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>>

[ossec-list] Re: USB storage detect & recursive file list

2016-04-28 Thread Jacob Mcgrath 


Now In Squert i can see this report and or alert...




On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I use to Check for & list files contained 
> within the usb drive.  If no drive is detected the output file would not 
> change there for not causing
> an alarm when the drive is removed.
>
> @echo off
> set host=%COMPUTERNAME%
>
>
> for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
>for %%c in (%%b) do (
>   for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
>  if %%d equ Removable (
> for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo 
> %host% %%a %user% > C:\temp\usbstor.txt
> echo Drive %%c is Removable (USB^)
> dir /s %%c >> C:\temp\usbstor.txt
> type C:\temp\usbstor.txt
>  )
>   )
>)
> )
>
>
> Now in the Windows agent config is have the entry that would run the .Bat 
> script every so many minutes or seconds ( I have mine set for 30 seconds 
> for testing but 60 sec would be more 
> realistic.
>
> 
> full_command
> C:\Admin_Tools\USB_Audit\usb-audit.bat
> 30
> USBDevices
>   
>
> On the Ossec server side I have this entry on the local_rules.xml
>
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
> 
>
>
> After this I restart the Ossec server and agent wait a minute then insert 
> a usb drive.  I get a email alert similar to this:
>
> OSSEC HIDS Notification.
>
> 2016 Apr 28 15:11:29
>
>  
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>  
>
> ossec: output: 'USBDevices':
>
> Drive F:\ is Removable (USB)
>
> MIS41 10.18.100.24  
>
>  Volume in drive F is OS
>
>  Volume Serial Number is 642E-1FF6
>
>  Directory of F:\
>
> 11/06/2015  01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe
>
> 12/21/2014  10:27 AM   397,798,952 sp66051_driver-pack.exe
>
>2 File(s)420,707,840 bytes
>
>  Directory of F:\System Volume Information
>
> 11/05/2015  08:56 AM  .
>
> 11/05/2015  08:56 AM  ..
>
> 11/05/2015  08:56 AM76 IndexerVolumeGuid
>
> 01/13/2016  02:41 PM12 WPSettings.dat
>
>2 File(s) 88 bytes
>
>  Total Files Listed:
>
>4 File(s)420,707,928 bytes
>
>2 Dir(s)   3,328,983,040 bytes free
>
> Previous output:
>
> ossec: output: 'USBDevices':
>
>  
>
>  
>
>  
>
>  --END OF NOTIFICATION
>
> In Squert I can see this:
>
>
>
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select 
>> 
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType  : IDE 
>>
>> serialnumber   :359ZMW6MS 
>>
>> Size   : 1000202273280 
>>
>> MediaType  : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>  edia} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>>

[ossec-list] Re: USB storage detect & recursive file list

2016-04-28 Thread Jacob Mcgrath 
Ok, here is my .Bat script I use to Check for & list files contained within 
the usb drive.  If no drive is detected the output file would not change 
there for not causing
an alarm when the drive is removed.

@echo off
set host=%COMPUTERNAME%


for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
   for %%c in (%%b) do (
  for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
 if %%d equ Removable (
for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host% 
%%a %user% > C:\temp\usbstor.txt
echo Drive %%c is Removable (USB^)
dir /s %%c >> C:\temp\usbstor.txt
type C:\temp\usbstor.txt
 )
  )
   )
)


Now in the Windows agent config is have the entry that would run the .Bat 
script every so many minutes or seconds ( I have mine set for 30 seconds 
for testing but 60 sec would be more 
realistic.


full_command
C:\Admin_Tools\USB_Audit\usb-audit.bat
30
USBDevices
  

On the Ossec server side I have this entry on the local_rules.xml


530
ossec: output: 'USBDevices'

Mounted Device change detected



After this I restart the Ossec server and agent wait a minute then insert a 
usb drive.  I get a email alert similar to this:

OSSEC HIDS Notification.

2016 Apr 28 15:11:29

 

Received From: (mis41) any->USBDevices

Rule: 503002 fired (level 7) -> "Mounted Device change detected"

Portion of the log(s):

 

ossec: output: 'USBDevices':

Drive F:\ is Removable (USB)

MIS41 10.18.100.24  

 Volume in drive F is OS

 Volume Serial Number is 642E-1FF6

 Directory of F:\

11/06/2015  01:38 PM22,908,888 mbam-setup-2.2.0.1024.exe

12/21/2014  10:27 AM   397,798,952 sp66051_driver-pack.exe

   2 File(s)420,707,840 bytes

 Directory of F:\System Volume Information

11/05/2015  08:56 AM  .

11/05/2015  08:56 AM  ..

11/05/2015  08:56 AM76 IndexerVolumeGuid

01/13/2016  02:41 PM12 WPSettings.dat

   2 File(s) 88 bytes

 Total Files Listed:

   4 File(s)420,707,928 bytes

   2 Dir(s)   3,328,983,040 bytes free

Previous output:

ossec: output: 'USBDevices':

 

 

 

 --END OF NOTIFICATION

In Squert I can see this:




On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014

[ossec-list] Re: USB storage detect & recursive file list

2016-04-28 Thread Jacob Mcgrath 
I I have a "working" solution  not elegant as I wanted but Does work. 
 When I get to work I will post!

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-23 Thread Jacob Mcgrath 
Not as of yet, I am still working out some issues with reporting while 
removable drives are not present.

On Friday, April 22, 2016 at 12:05:13 PM UTC-5, namobud...@gmail.com wrote:
>
> Can I just throw this into my local rules and it will detect plugged in 
> USB devices?
>
> 
> 530
>
> ossec: output: 'USB-Audit'
> 
> USB Connected - Current Session Information
> 
>
>
>
> On Tuesday, April 19, 2016 at 3:23:39 PM UTC-4, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select 
>> 
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType  : IDE 
>>
>> serialnumber   :359ZMW6MS 
>>
>> Size   : 1000202273280 
>>
>> MediaType  : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>  edia} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse 
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window 
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> ModeLastWriteTime Length Name
>>   
>> - -- 
>>   
>> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe   
>>   
>> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe 
>>   
>>
>>
>> Directory: E:\
>>
>>
>> ModeLastWriteTime Length Name
>>   
>> - -- 
>>   
>> -a---12/06/2011   9:51 AM 388608 HijackThis.exe  
>>   
>> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe   
>>   
>> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>>
>> I have been attempting to get the above USB recursive file lists 
>> into a USB detection report but have not had any success as of yet using 
>> the above command instead of the first like below.
>>
>>
>>
>>   
>> full_command
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>>  $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"
>> 300
>> USBDevices
>>   
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-21 Thread Jacob Mcgrath 
Ok, this seems to work better on the Ad network with the Powershell lock 
down we have at work at the moment..


530
ossec: output: 'USB-Audit'

USB Connected - Current Session Information


  
full_command
 C:\Admin_Tools\USB_Audit\ps-usb.bat
60
USB-Audit
  

ps-usb.bat

@echo off
for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" 
get name /format:value') do ( set var=%%d
)
echo
dir /s %var% > C:\temp\usb.txt
type C:\temp\usb.txt
end

The output I get from this in email alerts is this

OSSEC HIDS Notification.

2016 Apr 21 19:47:54

 

Received From: (mis41) any->USB-Audit

Rule: 503002 fired (level 7) -> "USB Connected - Current Session 
Information"

Portion of the log(s):

 

ossec: output: 'USB-Audit':

ECHO is off.

 Volume in drive E is 2_4_2-32-I5

 Volume Serial Number is 4086-B0A1

 Directory of E:\

12/06/2011  10:51 AM   388,608 HijackThis.exe

03/04/2016  03:44 PM22,908,888 mbam-setup-2.2.0.1024.exe

03/04/2016  03:46 PM 9,524 hijackthis.log

04/11/2016  03:08 PM   139 report.txt

03/30/2016  10:34 AM   545,957 Screenshot - 03302016 - 03%3A34%3A52 
PM.png

02/10/2016  09:16 AM72,176 Signage-Server.docx

11/14/2013  12:26 PM   557 add-printer.bat

02/29/2016  04:12 PM   406 ChatLog Meet Now 2016_02_29 15_12.rtf

04/18/2016  12:50 PM   319 dsafsadf

04/14/2016  04:02 PM11,990 Management Interface10.docx

04/14/2016  04:01 PM50,589 netscan.xml

11/03/2015  03:56 PM10,846 Old Equipmentlist.xlsx

02/29/2016  03:01 PM26,112 OneLink_Server_IP Schema all in 
one.xls

  13 File(s) 24,026,111 bytes

 Directory of E:\System Volume Information

 

 

 

 --END OF NOTIFICATION




On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---

[ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Jacob Mcgrath 
I have a batch script I wrote that could be used in replacement of 
PowerShell...  
@echo off
for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" 
get name /format:value') do ( set var=%%d
)
echo
dir /s %var% > C:\temp\test.txt
type C:\temp\test.txt

pause


The output is this went usb drives are available

 Volume in drive F is F
 Volume Serial Number is 2971-7DFC

 Directory of F:\

08/11/2015  09:21 PM12,836,794 38 Special - Caught Up In You.mp4
08/11/2015  09:21 PM13,973,320 38 Special - Hold On Loosely.mp4
08/11/2015  09:14 PM10,296,703 Alanis Morissette - Hand In My 
Pocket.mp4
08/11/2015  09:15 PM19,490,518 Alanis Morissette - Ironic OFFICIAL 
VIDEO.mp4
08/11/2015  07:46 PM10,015,763 All That Remains - Hold On.mp4
08/11/2015  07:46 PM14,173,662 All That Remains - What If I Was 
Nothing.mp4
08/11/2015  07:20 PM14,071,850 Andy Grammer - Honey Im Good 
Official Music Video.mp4

And this when none are inserted ( this being ran from my users Desktop 
directory... ( was looking at running this .bat from the ossec agent side 
bin) or a sub folder of that..

Volume in drive C has no label.
 Volume Serial Number is 84F7-A037

 Directory of C:\Program Files\ossec-agent\active-response\bin

04/20/2016  05:14 PM  .
04/20/2016  05:14 PM  ..
04/19/2016  05:30 PM   515 restart-ossec.cmd
04/19/2016  05:30 PM 1,520 route-null.cmd
04/20/2016  05:04 PM   215 usb.bat
   3 File(s)  2,250 bytes

 Total Files Listed:
   3 File(s)  2,250 bytes
   2 Dir(s)  860,057,559,040 bytes free

One of my concerns is that of getting this script info into the email 
alerts as well as in ossecs host logs in order to search via keyword say 
"usb" is ELSA...  I am still not
totally up to speed on how this works..

On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote:
>
> Wonder if I could wrap it into a test.ps1 and execute threw  
> powershell.exe 
> -noprofile -executionpolicy bypass -file .\test.ps1
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select 
>> 
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType  : IDE 
>>
>> serialnumber   :359ZMW6MS 
>>
>> Size   : 1000202273280 
>>
>> MediaType  : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>  edia} 
>>
>> Model  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType  : USB 
>>
>> serialnumber   : AA000489 
>>
>> Size   : 16022845440 
>>
>> MediaType  : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse 
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window 
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> ModeLastWriteTime Length Name
>>   
>> - -- 
>>   
>> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe   
>>   
>> -a---12/21/2014   9:27 AM  397798952

[ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Jacob Mcgrath 
Wonder if I could wrap it into a test.ps1 and execute threw  
powershell.exe 
-noprofile -executionpolicy bypass -file .\test.ps1

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: USB storage detect & recursive file list

2016-04-20 Thread Pedro Sanchez 
I think  has a character limitation, try to remove empty spaces or
make shorter the test.txt content.

On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrath  wrote:

> Will try droping the | select -Skip 2 from the Get-Content see if that
> works or maby a -Raw output arg
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
>> I have a basic Windows agent setting to alert me when a storage device is
>> detected using Power shell..
>>
>> 
>> full_command
>> powershell.exe -command "gwmi win32_diskdrive | select
>>
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> 
>> 300
>> USBDevices
>>   
>>
>>
>> with the following rule in local_rules.xml
>> 
>> 530
>> ossec: output: 'USBDevices'
>> 
>> Mounted Device change detected
>>   
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>
>>
>> 2016 Apr 19 18:35:31
>>
>>
>>
>> Received From: (mis41) any->USBDevices
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>>
>> Portion of the log(s):
>>
>>
>>
>> ossec: output: 'USBDevices':
>>
>> Model  : TOSHIBA DT01ACA100 SCSI Disk Device
>>
>> InterfaceType  : IDE
>>
>> serialnumber   :359ZMW6MS
>>
>> Size   : 1000202273280
>>
>> MediaType  : Fixed hard disk media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART
>> Notification}
>>
>> Model  : Verbatim STORE N GO USB Device
>>
>> InterfaceType  : USB
>>
>> serialnumber   : AA000489
>>
>> Size   : 16022845440
>>
>> MediaType  : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>  edia}
>>
>> Model  : Verbatim STORE N GO USB Device
>>
>> InterfaceType  : USB
>>
>> serialnumber   : AA000489
>>
>> Size   : 16022845440
>>
>> MediaType  : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>
>>
>>
>>
>>
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> ModeLastWriteTime Length Name
>> - -- 
>> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe
>>
>>
>> Directory: E:\
>>
>>
>> ModeLastWriteTime Length Name
>> - -- 
>> -a---12/06/2011   9:51 AM 388608 HijackThis.exe
>> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>>
>> I have been attempting to get the above USB recursive file lists
>> into a USB detection report but have not had any success as of yet using
>> the above command instead of the first like below.
>>
>>
>>
>>   
>> full_command
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>>  $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"
>> 300
>> USBDevices
>>   
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-19 Thread Jacob Mcgrath 
Will try droping the | select -Skip 2 from the Get-Content see if that 
works or maby a -Raw output arg

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: USB storage detect & recursive file list

2016-04-19 Thread Jacob Mcgrath 
I have nominal success with this ..

 
full_command
powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter 
"DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
-recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 

60
USBDevices
  





OSSEC HIDS Notification.


2016 Apr 19 19:46:53


 


Received From: (mis41) any->USBDevices


Rule: 503002 fired (level 7) -> "Mounted Device
change detected"


Portion of the log(s):


 


ossec: output: 'USBDevices':


Directory: F:\


 


 


 


 --END OF
NOTIFICATION

It is missing the remaining content on that C:\temp\tmp.txt ... But I am 
close  :)

On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>
> I have a basic Windows agent setting to alert me when a storage device is 
> detected using Power shell..
>
> 
> full_command
> powershell.exe -command "gwmi win32_diskdrive | select 
> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions 
> > 
> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> with the following rule in local_rules.xml
> 
> 530
> ossec: output: 'USBDevices'
> 
> Mounted Device change detected
>   
>
>
>
>
> Of course I get this alert which is nice for basic logging..
>
> OSSEC HIDS Notification.
>
>  
>
> 2016 Apr 19 18:35:31 
>
>   
>
> Received From: (mis41) any->USBDevices 
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>
> Portion of the log(s): 
>
>   
>
> ossec: output: 'USBDevices': 
>
> Model  : TOSHIBA DT01ACA100 SCSI Disk Device 
>
> InterfaceType  : IDE 
>
> serialnumber   :359ZMW6MS 
>
> Size   : 1000202273280 
>
> MediaType  : Fixed hard disk media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
> Notification} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>  edia} 
>
> Model  : Verbatim STORE N GO USB Device 
>
> InterfaceType  : USB 
>
> serialnumber   : AA000489 
>
> Size   : 16022845440 
>
> MediaType  : Removable Media 
>
> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
> Removable M 
>
>   
>
>   
>
>   
>
>  --END OF NOTIFICATION
>
>
>
> I was playing around with Powershell and have a optional command to print 
> out USB storage device files recursively...
>
>
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
> -recurse 
> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>
>
> this gives me this output in a tmp.txt if ran from a powershell window and 
> or run line.
>
>
> Directory: F:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---11/06/2015  12:38 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe  
>  
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  
> - --  
>  
> -a---12/06/2011   9:51 AM 388608 HijackThis.exe   
>  
> -a---03/04/2016   2:44 PM   2290 mbam-setup-2.2.0.1024.exe
>  
> -a---03/04/2016   2:46 PM   9524 hijackthis.log
>
> I have been attempting to get the above USB recursive file lists 
> into a USB detection report but have not had any success as of yet using 
> the above command instead of the first like below.
>
>
>
>   
> full_command
> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>  "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -
> recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"
> 
> 300
> USBDevices
>   
>
>
> This gives me a empty C:\temp\test.txt file...
>
>
> Any suggestions would be appreiciated...
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.