Monitoring USB drives in Windows using Wazuh

The goal of this article is to explain how to generate an alert when a USB storage device is connected to a Windows system that is being monitored by Wazuh. Additionally, you will learn how to create a list of authorized devices, being able to detect an unauthorized intrusion. Basically we will explain how monitoring USB drives in Windows with Wazuh
To enable the USB storage drive detection, it is needed to enable first the “Audit PNP Activity”. To do that, open Administrative Tools > Local Security Policy. A window like the one below will pop up.
In this window, navigate to Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit PNP Activity.
We need to configure the “audit events” at least for “Success” events as shown below.
Once this change is applied, a new event will be generated every time a new external PNP device is recognized by the system.
As said in the prerequisites section above, in Windows 10 and Windows Server 2016, the generated event number will be 6416. More information about this event can be found here.
Now it would be desirable to be able to verify that the source and owner of the inserted USB drive are authorized. We can create a list of devices known to be safe which will be defined as “authorized devices”. On the other hand, devices not included in this list will be defined as “unauthorized devices”. In order to do this we will use a CDB list. This type of lists are supported by Wazuh and works with the rules definitions. You can find more information about CDB lists here.
To create the CDB list we will use the USB device ID (serial number), so we need to extract this information from each device. There are different ways to do it, for example, using the get-disk
command in Windows Powershell:
PS C:\WINDOWS\system32> get-disk Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style ----- ------------- ----------- ----------- ---------------- -------- ------------ 1 Kingston DataTraveler 2.0 5B8711000079 Healthy Online 7.47 GB MBR
Once the serial numbers are revealed, we need to generate a text file containing the serial numbers of the authorized USB devices. Also, we can add an optional description. Store this file in /var/ossec/etc/lists
.
This is an example of a text file named usb-devices
:
etc/lists/usb-devices 60A44C413DF8FE11898C0148:USBDrive_A.Marin_Sec.Dep 4C531123611118109134:USBDrive_D.Ramsey_Comm.Dep 0019E06B9C8DBA5040000119:USBDrive_A.West_HumRes.Dep 5758473141363639325A5550:USBHDD_S.Sullivan_Sec.Dep
The text file path needs to be included into the ossec.conf
file. Otherwise the manager won’t be able to read it:
<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> <list>etc/lists/usb-devices</list> </ruleset>
Last step is to compile the new file using ossec-makelists
. Execute the command /var/ossec/bin/ossec-makelists
, and check that you get the following output:
* File etc/lists/usb-devices.cdb needs to be updated
Now it’s turn to modify the ruleset. In the first place, we need to add a new decoder which will allow us to extract the required serial number when a new USB storage device is detected. We will also extract some useful information, such as the vendor, product name and revision. Add the decoder shown below to the following file: 0380-windows_decoders.xml.
Use the method described here in order to keep the changes.
<decoder name="windows_fields"> <type>windows</type> <parent>windows</parent> <regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex> <order>usb.vendor, usb.product, usb.rev, usb.serial_number</order> </decoder>
Check our documentation for further information regarding the creation of new decoders.
In the second place, we will create two different rules. One to be alerted when an authorized device is detected and a second one for the unauthorized device. The second one will check the CDB list in order to see if there is no match with the device ID, which is stored in the dynamic field usb.serial_number
. Remember that both rules need to be added to local_rules.xml.
You can see the two rules below:
<rule id="100002" level="5"> <if_sid>18104</if_sid> <id>^6416$</id> <description>Windows: Authorized PNP device connected.</description> </rule> <rule id="100003" level="7"> <if_sid>18104</if_sid> <id>^6416$</id> <list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list> <description>Windows: Unauthorized PNP device connected.</description> </rule>
Finally, we need to restart the Wazuh manager to apply changes.
You can see below examples of generated alerts in both alerts.log
and alerts.json
files:
** Alert 1495798067.59003: - local,syslog,sshd, 2017 May 26 11:27:47 (windows_agent) any->WinEvtLog Rule: 100002 (level 5) -> 'Windows: Authorized PNP device connected.' User: (no user) 2017 May 26 04:27:44 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6HAccount Domain: WORKGROUP Logon ID: 0x3E7 Device ID: STORAGE\Volume\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_1.00#60A44C413DF8FE11898C0148&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: Volume Class ID: {71A27CDD-812A-11D0-BEC7-08002BE2092F} Class Name: Volume Vendor IDs: STORAGE\Volume Compatible IDs: - Location Information: - account_name: WIN-EDHF85L4G6H$ account_domain: WORKGROUP logon_id: 0x3E7 usb.vendor: Kingston usb.product: DataTraveler_3.0 usb.rev: 1.00 usb.serial_number: 60A44C413DF8FE11898C0148
** Alert 1495797025.37192: - local,syslog,sshd, 2017 May 26 11:10:25 (windows_agent) any->WinEvtLog Rule: 100003 (level 7) -> 'Windows: Unauthorized PNP device connected.' User: (no user) 2017 May 26 04:10:24 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6HAccount Domain: WORKGROUP Logon ID: 0x3E7 Device ID: SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_OTi6828&Prod_Flash_Disk&Rev_1.89#1B3D42CB4E7400D4&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: 86JT19A1 Class ID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Class Name: WPD Vendor IDs: - Compatible IDs: wpdbusenum\fs SWD\Generic Location Information: - account_name: WIN-EDHF85L4G6H$ account_domain: WORKGROUP logon_id: 0x3E7 usb.vendor: OTi6828 usb.product: Flash_Disk usb.rev: 1.89 usb.serial_number: 1B3D42CB4E7400D4
{ "timestamp":"2017-05-26T11:06:52+0000", "rule":{ "level":5, "description":"Windows: Authorized PNP device connected.", "id":"100002", "firedtimes":10, "groups":[ "local", "syslog", "sshd" ] }, "agent":{ "id":"001", "name":"windows_agent" }, "manager":{ "name":"ip-172-31-17-208" }, "dstuser":"(no user)", "full_log":"2017 May 26 04:06:51 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6H Account Domain: WORKGROUP Logon ID: 0x3E7 Device ID: SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00#4C531123611118109134&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: E:\\ Class ID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Class Name: WPD Vendor IDs: - Compatible IDs: wpdbusenum\\fs SWD\\Generic Location Information: -", "program_name":"WinEvtLog", "id":"6416", "status":"AUDIT_SUCCESS", "data":"Microsoft-Windows-Security-Auditing", "system_name":"WIN-EDHF85L4G6H", "account_name":"WIN-EDHF85L4G6H$", "account_domain":"WORKGROUP", "logon_id":"0x3E7", "usb":{ "vendor":"SanDisk", "product":"Ultra", "rev":"1.00", "serial_number":"4C531123611118109134" }, "decoder":{ "parent":"windows", "name":"windows" }, "location":"WinEvtLog" }
If you want to go a step further you can use Kibana to create dashboards based on the generated alerts, to monitoring USB drives, as the one shown at the beginning.
If you have any questions about monitoring USB drives, join our Slack #community channel! Our team and other contributors will help you.