 |
You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>IDSConfiguration>SheriffHIDS>USBDeviceMonitoringOnWindowsSystems (20 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next Sheriff CSMâ„¢
Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.
Previous Next Sheriff CSMâ„¢
USB Device Monitoring on Windows Systems
In Sheriff CSM version 5.3, Host Intrusion Detection System (HIDS) rules and plugins have been updated to capture USB device events on Windows machines.Configuration Changes on the HIDS Agent
If you are deploying Sheriff CSM version 5.3 or later, you do not need to do anything. This feature is enabled by default. If you are updating to Sheriff CSM version 5.3 or later from a previous version, and you want to use the USB device detection feature, you need to do one of the following:- On the host you wish to monitor, remove the existing HIDS agent and redeploy it. For instructions, see Deploy Sheriff HIDS Agents to Windows Hosts.
- Alternatively, you can change the configuration on Windows manually, as detailed below.
Change the Configuration on Windows Manually
Since full_command must be configured in each Windows system'sossec.conf file, you need to change the HIDS agent configuration on each Windows machine that you want to monitor USB devices.
To change the configuration on the client machine: -
Go to
C:\Program Files (x86)\ossec-agent. - Open
ossec.confwith a text editor. -
Locate the line "<ossec_config>" and add the following configuration right below that line:
<localfile> <log_format>full_command</log_format> <command>wmic logicaldisk where drivetype=2 get deviceid, description, FileSystem, Size, VolumeSerialNumber</command> <frequency>60</frequency> </localfile>
Your configuration file should look similar to this:
Some customers have reported that the wmic command above does not work in their environment. Sheriff has not been able to reproduce the problem but suspect that it may be related to newer HIDS versions or older Windows versions. If you run into the same issue, try using the following command instead:
<command>wmic logicaldisk where "drivetype=2 AND NOT deviceid like "a\"" get deviceid, description, !FileSystem, Size, VolumeSerialNumber</command>
-
Launch the
win32uiapplication located in the same directory.- Select Manage.
- Click Restart.
Verification
Once USB activity has been detected on that host, you should be able to see new Sheriff HIDS events with the event name Sheriff HIDS: New USB Device Found. And the Event Details pane includes information about Drive, FileSystem, Size, and Serial Number:
Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates. Edit | Attach | Print version | History: r11 < r10 < r9 < r8 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r11 - 20 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.