Detect USB Storage

In this use case, we configured the ThreatLockDown agent to detect when a USB storage device is connected to a Windows endpoint. Then we create rules to generate alerts when the USB device is detected.

Configuration

Windows endpoint

On the Windows endpoint, we want to monitor the output of the USBSTOR registry entry using the reg Query command. Then, we create a rule to trigger an alert when the command output contains a value.

Perform the following steps on the Windows endpoint.

  1. Enable remote command execution on the Windows endpoint by appending the following settings to the C:\Program Files (x86)\ossec-agent\local_internal_options.conf file:

    Warning

    Enable remote command execution with caution as this gives the ThreatLockDown user permission to run any command on the endpoint.

    logcollector.remote_commands=1

  2. Restart the ThreatLockDown agent to apply the changes, using PowerShell with administrator privileges:

    > Restart-Service -Name wazuh

ThreatLockDown server

Perform the following steps on the ThreatLockDown server.

  1. Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the ThreatLockDown server:

    <agent_config os="Windows">
  <localfile>
    <log_format>command</log_format>
    <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
    <alias>check_usb_connetivity</alias>
  </localfile>
</agent_config>

    Where:

    • The value command of the <log_format> tag specifies the output of the command is read as multiple events.

    • The value reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR of the <command> tag is the command the Logcollector module executes to know if a USB device is attached to the endpoint.

    • The value check_usb_connetivity of the <alias> tag is a string that represents the reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR command for better identification in creating rules.

  2. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the ThreatLockDown server:

    <group name="detect_usb_storage,">
  <rule id="100016" level="7">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'check_usb_connetivity':</match>
    <description>New USB device connected</description>
  </rule>
</group>

  3. Restart the ThreatLockDown manager to apply the changes:

    $ sudo systemctl restart wazuh-manager

Test the configuration

Trigger the alert by plugging a USB storage to the Windows endpoint.

Visualize the alerts

Go to Threat Hunting module on the ThreatLockDown dashboard to visualize the generated alert when a USB device is connected to the Windows endpoint.

New USB device connected alert