[ossec-list] Re: USB storage detect & recursive file list

And I get this in Squert on my Security Onion... On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check

[ossec-list] Re: USB storage detect & recursive file list

Now In Squert i can see this report and or alert... On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to

[ossec-list] Re: USB storage detect & recursive file list

Ok, here is my .Bat script I use to Check for & list files contained within the usb drive. If no drive is detected the output file would not change there for not causing an alarm when the drive is removed. @echo off set host=%COMPUTERNAME% for /F "tokens=1*" %%a in ('fsutil fsinfo drives')

[ossec-list] Re: USB storage detect & recursive file list

I I have a "working" solution not elegant as I wanted but Does work. When I get to work I will post! On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > >

[ossec-list] Re: USB storage detect & recursive file list

Not as of yet, I am still working out some issues with reporting while removable drives are not present. On Friday, April 22, 2016 at 12:05:13 PM UTC-5, namobud...@gmail.com wrote: > > Can I just throw this into my local rules and it will detect plugged in > USB devices? > > > 530 > >

[ossec-list] Re: USB storage detect & recursive file list

Ok, this seems to work better on the Ad network with the Powershell lock down we have at work at the moment.. 530 ossec: output: 'USB-Audit' USB Connected - Current Session Information full_command C:\Admin_Tools\USB_Audit\ps-usb.bat 60 USB-Audit

[ossec-list] Re: USB storage detect & recursive file list

I have a batch script I wrote that could be used in replacement of PowerShell... @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\test.txt type C:\temp\test.txt pause The output is this

[ossec-list] Re: USB storage detect & recursive file list

Wonder if I could wrap it into a test.ps1 and execute threw powershell.exe -noprofile -executionpolicy bypass -file .\test.ps1 On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using

Re: [ossec-list] Re: USB storage detect & recursive file list

I think has a character limitation, try to remove empty spaces or make shorter the test.txt content. On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrath wrote: > Will try droping the | select -Skip 2 from the Get-Content see if that > works or maby a -Raw output arg >

[ossec-list] Re: USB storage detect & recursive file list

Will try droping the | select -Skip 2 from the Get-Content see if that works or maby a -Raw output arg On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > >

[ossec-list] Re: USB storage detect & recursive file list

I have nominal success with this .. full_command powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 60 USBDevices