Monitoring USB drives in Windows using Wazuh

| by Alberto Marín
Post icon

The goal of this article is to explain how to generate an alert when a USB storage device is connected to a Windows system that is being monitored by Wazuh. Additionally, you will learn how to create a list of authorized devices, being able to detect an unauthorized intrusion. Basically we will explain how monitoring USB drives in Windows with Wazuh

Wazuh app dashboard general view of alerts generated by USB devices while the system is monitoring USB drives. Screenshot.

Prerequisites

  • Wazuh 2.0.
  • This use case is prepared for Windows 10 and Windows Server 2016. For other Windows versions you can follow the same process, however check the number of the event generated (in our case 6416, as seen later in this article) since it might be different.

Enabling ‘Audit PNP Activity’ events.

To enable the USB storage drive detection, it is needed to enable first the “Audit PNP Activity”. To do that, open Administrative Tools > Local Security Policy. A window like the one below will pop up.

Local Security Policy window. Screenshot.

In this window, navigate to Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit PNP Activity.
We need to configure the “audit events” at least for “Success” events as shown below.

https://wazuh.com/uploads/2017/05/audit-pnp-activity-properties-window.png-or-audit-pnp.png

Once this change is applied, a new event will be generated every time a new external PNP device is recognized by the system.
As said in the prerequisites section above, in Windows 10 and Windows Server 2016, the generated event number will be 6416. More information about this event can be found here.

Creating a CDB list.

Now it would be desirable to be able to verify that the source and owner of the inserted USB drive are authorized. We can create a list of devices known to be safe which will be defined as “authorized devices”. On the other hand, devices not included in this list will be defined as “unauthorized devices”. In order to do this we will use a CDB list. This type of lists are supported by Wazuh and works with the rules definitions. You can find more information about CDB lists here.
To create the CDB list we will use the USB device ID (serial number), so we need to extract this information from each device. There are different ways to do it, for example, using the get-disk command in Windows Powershell:

PS C:\WINDOWS\system32> get-disk

Number        Friendly Name        Serial Number        HealthStatus        OperationalStatus        Total Size        Partition Style
-----        -------------        -----------        -----------        ----------------        --------        ------------
1        Kingston DataTraveler 2.0        5B8711000079        Healthy        Online        7.47 GB        MBR

Once the serial numbers are revealed, we need to generate a text file containing the serial numbers of the authorized USB devices. Also, we can add an optional description. Store this file in /var/ossec/etc/lists.
This is an example of a text file named usb-devices:

etc/lists/usb-devices
60A44C413DF8FE11898C0148:USBDrive_A.Marin_Sec.Dep
4C531123611118109134:USBDrive_D.Ramsey_Comm.Dep
0019E06B9C8DBA5040000119:USBDrive_A.West_HumRes.Dep
5758473141363639325A5550:USBHDD_S.Sullivan_Sec.Dep

The text file path needs to be included into the ossec.conf file. Otherwise the manager won’t be able to read it:

<ruleset>
   <!-- Default ruleset -->
   <decoder_dir>ruleset/decoders</decoder_dir>
   <rule_dir>ruleset/rules</rule_dir>
   <rule_exclude>0215-policy_rules.xml</rule_exclude>
   <list>etc/lists/audit-keys</list>
   <!-- User-defined ruleset -->
   <decoder_dir>etc/decoders</decoder_dir>
   <rule_dir>etc/rules</rule_dir>
   <list>etc/lists/usb-devices</list>
</ruleset>

Last step is to compile the new file using ossec-makelists. Execute the command /var/ossec/bin/ossec-makelists, and check that you get the following output:

* File etc/lists/usb-devices.cdb needs to be updated

Adding decoders and rules.

Now it’s turn to modify the ruleset. In the first place, we need to add a new decoder which will allow us to extract the required serial number when a new USB storage device is detected. We will also extract some useful information, such as the vendor, product name and revision. Add the decoder shown below to the following file: 0380-windows_decoders.xml. Use the method described here in order to keep the changes.

<decoder name="windows_fields">
  <type>windows</type>
  <parent>windows</parent>
  <regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>
  <order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>
</decoder>

Check our documentation for further information regarding the creation of new decoders.
In the second place, we will create two different rules. One to be alerted when an authorized device is detected and a second one for the unauthorized device. The second one will check the CDB list in order to see if there is no match with the device ID, which is stored in the dynamic field usb.serial_number. Remember that both rules need to be added to local_rules.xml.
You can see the two rules below:

<rule id="100002" level="5">
  <if_sid>18104</if_sid>
  <id>^6416$</id>
  <description>Windows: Authorized PNP device connected.</description>
</rule>
<rule id="100003" level="7">
  <if_sid>18104</if_sid>
  <id>^6416$</id>
  <list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list>
  <description>Windows: Unauthorized PNP device connected.</description>
</rule>

Finally, we need to restart the Wazuh manager to apply changes.

Generating alerts.

You can see below examples of generated alerts in both alerts.log and alerts.json files:

  • alerts.log file:
** Alert 1495798067.59003: - local,syslog,sshd,
2017 May 26 11:27:47 (windows_agent) any->WinEvtLog
Rule: 100002 (level 5) -> 'Windows: Authorized PNP device connected.'
User: (no user)
2017 May 26 04:27:44 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6HAccount Domain: WORKGROUP Logon ID: 0x3E7 Device ID: STORAGE\Volume\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_1.00#60A44C413DF8FE11898C0148&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: Volume Class ID: {71A27CDD-812A-11D0-BEC7-08002BE2092F} Class Name: Volume Vendor IDs: STORAGE\Volume Compatible IDs: - Location Information: -
account_name: WIN-EDHF85L4G6H$
account_domain: WORKGROUP
logon_id: 0x3E7
usb.vendor: Kingston
usb.product: DataTraveler_3.0
usb.rev: 1.00
usb.serial_number: 60A44C413DF8FE11898C0148
** Alert 1495797025.37192: - local,syslog,sshd,
2017 May 26 11:10:25 (windows_agent) any->WinEvtLog
Rule: 100003 (level 7) -> 'Windows: Unauthorized PNP device connected.'
User: (no user)
2017 May 26 04:10:24 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6HAccount Domain: WORKGROUP Logon ID: 0x3E7 Device ID: SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_OTi6828&Prod_Flash_Disk&Rev_1.89#1B3D42CB4E7400D4&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: 86JT19A1 Class ID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Class Name: WPD Vendor IDs: - Compatible IDs: wpdbusenum\fs SWD\Generic Location Information: -
account_name: WIN-EDHF85L4G6H$
account_domain: WORKGROUP
logon_id: 0x3E7
usb.vendor: OTi6828
usb.product: Flash_Disk
usb.rev: 1.89
usb.serial_number: 1B3D42CB4E7400D4
  • alerts.json file:
{
   "timestamp":"2017-05-26T11:06:52+0000",
   "rule":{
      "level":5,
      "description":"Windows: Authorized PNP device connected.",
      "id":"100002",
      "firedtimes":10,
      "groups":[
         "local",
         "syslog",
         "sshd"
      ]
   },
   "agent":{
      "id":"001",
      "name":"windows_agent"
   },
   "manager":{
      "name":"ip-172-31-17-208"
   },
   "dstuser":"(no user)",
   "full_log":"2017 May 26 04:06:51 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system.    Subject:   Security ID:  S-1-5-18   Account Name:  WIN-EDHF85L4G6H  Account Domain:  WORKGROUP   Logon ID:  0x3E7    Device ID: SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00#4C531123611118109134&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}    Device Name: E:\\    Class ID:  {EEC5AD98-8080-425F-922A-DABF3DE3F69A}    Class Name: WPD    Vendor IDs: -    Compatible IDs:     wpdbusenum\\fs    SWD\\Generic            Location Information: -",
   "program_name":"WinEvtLog",
   "id":"6416",
   "status":"AUDIT_SUCCESS",
   "data":"Microsoft-Windows-Security-Auditing",
   "system_name":"WIN-EDHF85L4G6H",
   "account_name":"WIN-EDHF85L4G6H$",
   "account_domain":"WORKGROUP",
   "logon_id":"0x3E7",
   "usb":{
      "vendor":"SanDisk",
      "product":"Ultra",
      "rev":"1.00",
      "serial_number":"4C531123611118109134"
   },
   "decoder":{
      "parent":"windows",
      "name":"windows"
   },
   "location":"WinEvtLog"
}

If you want to go a step further you can use Kibana to create dashboards based on the generated alerts, to monitoring USB drives, as the one shown at the beginning.

If you have any questions about monitoring USB drives, join our Slack #community channel! Our team and other contributors will help you.