Wazuh is an open source security solution that helps organizations detect and respond to security threats. Wazuh can be configured to detect a wide range of system activities having various security levels. From informational to critical incidents, the Wazuh ruleset is constantly updated to ensure an organization stays ahead of the threat landscape. An aspect of this landscape administrators often undermine are USB related activities.
USB drives are portable storage devices that connect to a computer’s USB port. It is important to monitor these ports because they often serve as an introductory point for malware into a computer endpoint and network. Organizations need to monitor all USB activities to prevent data breaches, curb the spread of malware, and protect sensitive information.
This blog post guides you on how to monitor USB drives that are plugged into Windows endpoints. Additionally, it describes how to configure filters for authorized and unauthorized USB drives.
- A pre-built ready-to-use Wazuh OVA 4.3.10. Follow the steps in the Virtual Machine (OVA) documentation to download and set this up.
- A Windows 10 endpoint with the Wazuh agent installed and enrolled to the Wazuh server.
The Audit PNP Activity is a Windows feature that helps detect USB drives and generate Plug and Play (PnP) events. This feature is available on Windows 10, Windows Server 2016, and later versions.
Perform the following steps to enable this feature:
1. Launch the Windows Run utility using the
Windows + R key combination. Type
secpol.msc in the input box and click OK. This opens the Local Security Policy window, as shown below.
2. Navigate to Advanced Audit Policy Configuration > System Audit Policies – Local Group Policy Object > Detailed Tracking and double click Audit PNP Activity. In the new pop-up window, enable the policy by selecting Configure the following audit events: and Success. Click OK.
In this blog post, we consider the Windows event ID
6416, which is responsible for auditing external devices.
An Audit PNP Activity generates four events when an external USB drive is plugged in. You can verify this using the Windows Event Viewer tool.
In this section, we create a custom rule to detect USB drive activities on a monitored Windows endpoint.
1. Add the following rule to the Wazuh server
<group name="windows-usb-detect,"> <rule id="111000" level="7"> <if_sid>60103</if_sid> <field name="win.system.eventID">^6416$</field> <match>USBSTOR\\Disk</match> <options>no_full_log</options> <description>Windows: A PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer)</description> </rule> </group>
- Rule ID
111000detects an event with Windows
6416. This type of event occurs when a Windows system recognizes an external device. In our case, it refers to a USB drive connected to the monitored Windows endpoint.
<match>detects the event that has the
USBSTOR\\Diskkeyword in it. This keyword includes the vendor name, product name, revision number, and serial number. Events with other USB-related keywords are ignored.
2. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Test the configuration
Perform the action below to generate USB events.
1. Plug a USB device into the monitored Windows endpoint.
Navigate to the Security events tab in the Wazuh dashboard to see the alerts generated. The image below shows the alerts generated when a USB drive is inserted into the monitored Windows endpoint.
Filtering authorized and unauthorized USB drives
Perform the steps below to trigger alerts when authorized and unauthorized USB drives are inserted into the monitored Windows endpoint.
Creating a CDB list for authorized USB drives
You must create a CDB (constant database) list of authorized USB drives using their
deviceId fields. We need a list of authorized devices for matching with detected drive activities. A drive not included on this list will be flagged as unauthorized.
1. On the Wazuh dashboard, expand the rule ID
111000 alert and extract the value from the
data.win.eventdata.deviceId field. This field contains the vendor name, product name, revision number, and serial number. The image below shows the
deviceId extracted from the alert generated earlier.
2. On the Wazuh server, create a
usb-drives CDB list in the
$ sudo touch /var/ossec/etc/lists/usb-drives
3. Add the extracted
deviceId value followed by a colon(
:) to the CDB list:
CBD lists typically use
<key>:<value> pairs but can also accept a
<key>: value. For more information on CDB lists, see the CDB lists guide.
<list>etc/lists/usb-drives</list> to the
<ruleset> block of the
/var/ossec/etc/ossec.conf file. These changes take effect once you restart the Wazuh manager in the next steps.
<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <list>etc/lists/amazon/aws-eventnames</list> <list>etc/lists/security-eventchannel</list> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> <list>etc/lists/usb-drives</list> </ruleset>
Our next step would be to create custom rules that match with the CDB list.
Adding rules for USB filtering
In this section, we create two new rules that detect authorized and unauthorized USB drives. Perform the steps below to add the rules to the Wazuh server.
1. Add the following rules to the previously created
windows-usb-detect group in the
<rule id="111001" level="5"> <if_sid>111000</if_sid> <options>no_full_log</options> <description>Windows: Authorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule> <rule id="111002" level="8"> <if_sid>111000</if_sid> <list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-drives</list> <options>no_full_log</options> <description>Windows: Unauthorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule>
- Rule ID
111001generates alerts when authorized USB drives are plugged into the endpoint.
- Rule ID
111002generates alerts when unauthorized USB drives are plugged into the endpoint. This occurs when the
deviceIdis not found in the CDB list.
2. Restart the Wazuh manager for the changes to take effect.
# systemctl restart wazuh-manager
Test the configuration
Perform the following actions to detect authorized and unauthorized USB drives.
1. Plug an authorized USB device into the Windows endpoint. This should be the device whose
deviceId field you added to the CDB list created earlier.
2. Plug an unauthorized USB device into the Windows endpoint. Its
deviceId field should not be in the CDB list created earlier.
Navigate to the Security events in the Wazuh dashboard to see the alerts generated. Figure 5 shows an authorized USB drive event, and Figure 6 shows an unauthorized USB drive event.
Import custom visualization for authorized and unauthorized drive alerts
We have created a custom visualization that displays authorized and unauthorized USB drives. In this section, we describe how to import the custom visualization in the Wazuh dashboard.
Perform the steps below to import the custom visualization file.
1. Download the custom visualization file windows-usb-drive-monitoring-visualization.ndjson.
2. Select the Import option from Management > Stack Management > Saved Object to import the downloaded visualization file.
After a successful import, the new object named Windows USB drive monitoring should be visible in the Saved Objects list.
3. Select the Windows USB drive monitoring file to view its contents. The image below shows authorized and unauthorized USB drive alerts generated by rule ID
The imported custom visualization object is also visible in the Visualize section under OpenSearch Dashboards.
This blog post describes how Wazuh can help organizations to monitor USB drives plugged into monitored Windows endpoints in real-time. It also shows how to configure the Wazuh CDB list to filter authorized and unauthorized USB drives. By monitoring USB drives, you can protect organizational data from theft, and stop USB transferrable malware attacks, thereby improving your organization’s security.