Monitoring USB drives in Windows using Wazuh

March 2nd 2023 | by Abdullah Al Noman | Wazuh 4.3

Wazuh is an open source security solution that helps organizations detect and respond to security threats. Wazuh can be configured to detect a wide range of system activities having various security levels. From informational to critical incidents, the Wazuh ruleset is constantly updated to ensure an organization stays ahead of the threat landscape. An aspect of this landscape administrators often undermine are USB related activities.

USB drives are portable storage devices that connect to a computer’s USB port. It is important to monitor these ports because they often serve as an introductory point for malware into a computer endpoint and network. Organizations need to monitor all USB activities to prevent data breaches, curb the spread of malware, and protect sensitive information.

This blog post guides you on how to monitor USB drives that are plugged into Windows endpoints. Additionally, it describes how to configure filters for authorized and unauthorized USB drives.

Prerequisites

A pre-built ready-to-use Wazuh OVA 4.3.10. Follow the steps in the Virtual Machine (OVA) documentation to download and set this up.
A Windows 10 endpoint with the Wazuh agent installed and enrolled to the Wazuh server.

Configuration

Windows endpoint

The Audit PNP Activity is a Windows feature that helps detect USB drives and generate Plug and Play (PnP) events. This feature is available on Windows 10, Windows Server 2016, and later versions.

Perform the following steps to enable this feature:

1. Launch the Windows Run utility using the Windows + R key combination. Type secpol.msc in the input box and click OK. This opens the Local Security Policy window, as shown below.

flash drive near me — Figure 1: Local Security Policy window.

2. Navigate to Advanced Audit Policy Configuration > System Audit Policies – Local Group Policy Object > Detailed Tracking and double click Audit PNP Activity. In the new pop-up window, enable the policy by selecting Configure the following audit events: and Success. Click OK.

local security policy — Figure 2: Audit PNP Activity Properties.

In this blog post, we consider the Windows event ID 6416, which is responsible for auditing external devices.

Note

An Audit PNP Activity generates four events when an external USB drive is plugged in. You can verify this using the Windows Event Viewer tool.

Wazuh server

In this section, we create a custom rule to detect USB drive activities on a monitored Windows endpoint.

1. Add the following rule to the Wazuh server /var/ossec/etc/rules/local_rules.xml file:

<group name="windows-usb-detect,">
  <rule id="111000" level="7">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^6416$</field>
    <match>USBSTOR\\Disk</match>
    <options>no_full_log</options>
    <description>Windows: A PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer)</description>
  </rule>
</group>

Where:

Rule ID 111000 detects an event with Windows eventID 6416. This type of event occurs when a Windows system recognizes an external device. In our case, it refers to a USB drive connected to the monitored Windows endpoint.
<match> detects the event that has the USBSTOR\\Disk keyword in it. This keyword includes the vendor name, product name, revision number, and serial number. Events with other USB-related keywords are ignored.

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Test the configuration

Perform the action below to generate USB events.

1. Plug a USB device into the monitored Windows endpoint.

Navigate to the Security events tab in the Wazuh dashboard to see the alerts generated. The image below shows the alerts generated when a USB drive is inserted into the monitored Windows endpoint.

drive alerts — Figure 3: USB drive plugged-in events in Wazuh dashboard.

Filtering authorized and unauthorized USB drives

Perform the steps below to trigger alerts when authorized and unauthorized USB drives are inserted into the monitored Windows endpoint.

Creating a CDB list for authorized USB drives

You must create a CDB (constant database) list of authorized USB drives using their deviceId fields. We need a list of authorized devices for matching with detected drive activities. A drive not included on this list will be flagged as unauthorized.

1. On the Wazuh dashboard, expand the rule ID 111000 alert and extract the value from the data.win.eventdata.deviceId field. This field contains the vendor name, product name, revision number, and serial number. The image below shows the deviceId extracted from the alert generated earlier.

security events — Figure 4: Device ID value extraction from USB drive events.

2. On the Wazuh server, create a usb-drives CDB list in the /var/ossec/etc/lists directory:

$ sudo touch /var/ossec/etc/lists/usb-drives

3. Add the extracted deviceId value followed by a colon(:) to the CDB list:

USBSTOR\\Disk&amp;Ven_ADATA&amp;Prod_USB_Flash_Drive&amp;Rev_1100\\273170825011004C&amp;0:

CBD lists typically use <key>:<value> pairs but can also accept a <key>: value. For more information on CDB lists, see the CDB lists guide.

4. Add <list>etc/lists/usb-drives</list> to the <ruleset> block of the /var/ossec/etc/ossec.conf file. These changes take effect once you restart the Wazuh manager in the next steps.

<ruleset>
  <!-- Default ruleset -->
  <decoder_dir>ruleset/decoders</decoder_dir>
  <rule_dir>ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <list>etc/lists/audit-keys</list>
  <list>etc/lists/amazon/aws-eventnames</list>
  <list>etc/lists/security-eventchannel</list>

  <!-- User-defined ruleset -->
  <decoder_dir>etc/decoders</decoder_dir>
  <rule_dir>etc/rules</rule_dir>
  <list>etc/lists/usb-drives</list>
</ruleset>

Our next step would be to create custom rules that match with the CDB list.

Adding rules for USB filtering

In this section, we create two new rules that detect authorized and unauthorized USB drives. Perform the steps below to add the rules to the Wazuh server.

1. Add the following rules to the previously created windows-usb-detect group in the /var/ossec/etc/rules/local_rules.xml file:

<rule id="111001" level="5">
  <if_sid>111000</if_sid>
  <options>no_full_log</options>
  <description>Windows: Authorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description>
</rule>

<rule id="111002" level="8">
  <if_sid>111000</if_sid>
  <list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-drives</list>
  <options>no_full_log</options>
  <description>Windows: Unauthorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description>
</rule>

Where:

Rule ID 111001 generates alerts when authorized USB drives are plugged into the endpoint.
Rule ID 111002 generates alerts when unauthorized USB drives are plugged into the endpoint. This occurs when the deviceId is not found in the CDB list.

2. Restart the Wazuh manager for the changes to take effect.

# systemctl restart wazuh-manager

Test the configuration

Perform the following actions to detect authorized and unauthorized USB drives.

1. Plug an authorized USB device into the Windows endpoint. This should be the device whose deviceId field you added to the CDB list created earlier.

2. Plug an unauthorized USB device into the Windows endpoint. Its deviceId field should not be in the CDB list created earlier.

Navigate to the Security events in the Wazuh dashboard to see the alerts generated. Figure 5 shows an authorized USB drive event, and Figure 6 shows an unauthorized USB drive event.

windows usb drive — Figure 5: Authorized USB drive event.

audit pnp activity — Figure 6: Unauthorized USB drive event.

Import custom visualization for authorized and unauthorized drive alerts

We have created a custom visualization that displays authorized and unauthorized USB drives. In this section, we describe how to import the custom visualization in the Wazuh dashboard.

Perform the steps below to import the custom visualization file.

1. Download the custom visualization file windows-usb-drive-monitoring-visualization.ndjson.

2. Select the Import option from Management > Stack Management > Saved Object to import the downloaded visualization file.

usb device — Figure 7: Custom visualization import.

After a successful import, the new object named Windows USB drive monitoring should be visible in the Saved Objects list.

3. Select the Windows USB drive monitoring file to view its contents. The image below shows authorized and unauthorized USB drive alerts generated by rule ID 111001 and 111002.

usb drives — Figure 9: Windows USB drive monitoring visualization contents.

The imported custom visualization object is also visible in the Visualize section under OpenSearch Dashboards.

Conclusion

This blog post describes how Wazuh can help organizations to monitor USB drives plugged into monitored Windows endpoints in real-time. It also shows how to configure the Wazuh CDB list to filter authorized and unauthorized USB drives. By monitoring USB drives, you can protect organizational data from theft, and stop USB transferrable malware attacks, thereby improving your organization’s security.

Wazuh provides a comprehensive solution to secure your critical assets in various ways. To learn more about Wazuh capabilities, visit our documentation and other bl og posts.

Reference

6416(S) A new external device was recognized by the System. (Windows 10) | Microsoft Learn