Detect USB Storage

In this use case, we configured the Wazuh agent to detect when a USB storage device is connected to a Windows endpoint. Then we create rules to generate alerts when the USB device is detected.

Configuration

Windows endpoint

On the Windows endpoint, we want to monitor the output of the USBSTOR registry entry using the reg Query command. Then, we create a rule to trigger an alert when the command output contains a value.

Perform the following steps on the Windows endpoint.

  1. Enable remote command execution on the Windows endpoint by appending the following settings to the C:\Program Files (x86)\ossec-agent\local_internal_options.conf file:

    Warning

    Enable remote command execution with caution as this gives the Wazuh user permission to run any command on the endpoint.

    logcollector.remote_commands=1
    
  2. Restart the Wazuh agent to apply the changes, using PowerShell with administrator privileges:

    > Restart-Service -Name wazuh
    

Wazuh server

Perform the following steps on the Wazuh server.

  1. Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh server:

    <agent_config os="Windows">
      <localfile>
        <log_format>command</log_format>
        <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
        <alias>check_usb_connetivity</alias>
      </localfile>
    </agent_config>
    

    Where:

    • The value command of the <log_format> tag specifies the output of the command is read as multiple events.

    • The value reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR of the <command> tag is the command the Logcollector module executes to know if a USB device is attached to the endpoint.

    • The value check_usb_connetivity of the <alias> tag is a string that represents the reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR command for better identification in creating rules.

  2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

    <group name="detect_usb_storage,">
      <rule id="100016" level="7">
        <if_sid>530</if_sid>
        <match>^ossec: output: 'check_usb_connetivity':</match>
        <description>New USB device connected</description>
      </rule>
    </group>
    
  3. Restart the Wazuh manager to apply the changes:

    $ sudo systemctl restart wazuh-manager
    

Test the configuration

Trigger the alert by plugging a USB storage to the Windows endpoint.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert when a USB device is connected to the Windows endpoint.

New USB device connected alert