Thursday, June 25, 2009

USB Detection Using WMI Script

USB flash drives are very common and can be found in almost every computerized environment for storing and transferring data between computers. These USB devices make it really easy for potential attacker to exploit unprotected computers with malicious virus and Trojan software and provide a gateway to the network for manipulating sensitive data.

Detecting USB storage devices

There are some nice tools that can be found on the net that will notify about USB devices on local and remote windows platforms. But most of them are not free and will require an installation of an agent on the remote windows platforms.

WMI notification event script

The following USB notification event script will send an event message in response to any operation of USB device on local or remote windows platform. For simplicity, the script is using a temporary event subscription, which exists only as long as the script is running. Some modifications will be needed for a permanent event subscription that will not require a perpetually running script:

VBScript (should be copied and saved as .vbs file):

strComputer = "." '(Any computer name or address)
Set wmi = GetObject("winmgmts:" & strComputer & "rootcimv2")
Set wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'")
While True
Set usb = wmiEvent.NextEvent()
Select Case usb.Path_.Class
Case "__InstanceCreationEvent" WScript.Echo("USB device found")
Case "__InstanceDeletionEvent" WScript.Echo("USB device removed")
Case "__InstanceModificationEvent" WScript.Echo("USB device modified")
End Select
Wend

JScript (should be copied and saved as .js file):

strComputer = "."; //(Any computer name or address)
var wmi = GetObject("winmgmts:" + strComputer + "rootcimv2");
var wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'");
while(true) {
var usb = wmiEvent.NextEvent();
switch (usb.Path_.Class) {
case "__InstanceCreationEvent": {WScript.Echo("USB device found"); break;}
case "__InstanceDeletionEvent": {WScript.Echo("USB device removed"); break;}
case "__InstanceModificationEvent": {WScript.Echo("USB device modified"); break;}}}

Conclusion

Using the preinstalled Windows Management Instrumentation (WMI) on windows platforms is free and will not require any remote agent. It will only require a simple script that can be run manually from a privileged user account or from another network monitoring software like IDS IPS Network Protection and Network Access Control Monitoring network security scanners.

For more information on network security and management software solutions for real-time monitoring systems, please visit Lan-Secure.com: Network Management Software.


No comments:

Post a Comment