Up
Previous Next

Sheriff CSMâ„¢

USB Device Monitoring on Windows Systems

In Sheriff CSM version 5.3, Host Intrusion Detection System (HIDS) rules and plugins have been updated to capture USB device events on Windows machines.

Configuration Changes on the HIDS Agent

If you are deploying Sheriff CSM version 5.3 or later, you do not need to do anything. This feature is enabled by default.

If you are updating to Sheriff CSM version 5.3 or later from a previous version, and you want to use the USB device detection feature, you need to do one of the following:

  • On the host you wish to monitor, remove the existing HIDS agent and redeploy it. For instructions, see Deploy Sheriff HIDS Agents to Windows Hosts.
  • Alternatively, you can change the configuration on Windows manually, as detailed below.

Change the Configuration on Windows Manually

Since full_command must be configured in each Windows system's ossec.conf file, you need to change the HIDS agent configuration on each Windows machine that you want to monitor USB devices.

To change the configuration on the client machine:
  1. Go to C:\Program Files (x86)\ossec-agent.

  2. Open ossec.conf with a text editor.
  3. Locate the line "<ossec_config>" and add the following configuration right below that line:

    <localfile>
    <log_format>full_command</log_format>
    <command>wmic logicaldisk where drivetype=2 get deviceid, description, FileSystem, Size, VolumeSerialNumber</command>
    <frequency>60</frequency>
    </localfile>
    Your configuration file should look similar to this:

    ossec-config on Windows machine

    Some customers have reported that the wmic command above does not work in their environment. Sheriff has not been able to reproduce the problem but suspect that it may be related to newer HIDS versions or older Windows versions. If you run into the same issue, try using the following command instead:

    <command>wmic logicaldisk where "drivetype=2 AND NOT deviceid like "a\"" get deviceid, description, !FileSystem, Size, VolumeSerialNumber</command>
  4. Launch the win32ui application located in the same directory.

    1. Select Manage.
    2. Click Restart.

      Launching the ossec-agent manager from within the win32ui application

Verification

Once USB activity has been detected on that host, you should be able to see new Sheriff HIDS events with the event name Sheriff HIDS: New USB Device Found. And the Event Details pane includes information about Drive, FileSystem, Size, and Serial Number:

USB device added/removed event details

Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.
Topic revision: r11 - 20 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.