Using Osquery for USB device monitoring.

Prerequisites

This article is written using Osquery 4.2.0. If you’re looking for help on installing Osquery please see our guide here.

Example of USB device monitoring with FIM on Osquery

Why monitor USB devices?

There are three main reasons I can think of — off the top of my head as to why you’d want to monitor your devices USB devices.

Data loss prevention

Removable media can be used as a medium to exfiltrate data from corporate networks. Most companies will block access to online file sharing services in favor of corporate file sharing services. Which will provide audit-able events for compliance. With restrictions on email attachment types and sizes, USB devices become a fast medium of file exchange between systems. Amusing of course USB ports aren’t blocked either. Nevertheless, files left on USB devices can become a potential source of a data breach. Given their size, these devices are typically misplaced or re-purposed. Even if deleted files can still be recovered from USB devices. Having an audit-able log of files copied to USB devices can help mitigate risk.

Compliance & Auditing

As with the use case above. Many security framework and compliance standards require some form of USB device monitoring and auditing. In the event of a data breach, having a strong reference point can massively help aid investigations. Thereby, potentially minimising any damage to the business operations.

Security

USB devices can be a potential source of malicious files being introduced to a system or network. Being able to identify those files — understanding whether they’re known or unknown by the organisation can help minimise damage to the business.

Setting up File Integrity Monitoring (FIM)

FIM uses FSEvents(Mac OS X) to monitor files and directories for changes. As files and directories are written, read and deleted events are created. Osquery can update its FIM configuration on the fly via the remote API. Wildcards for directories can also be used.

{
"options": {
},
"file_paths": {
"homes": [
"/Volumes/%%"
]
}
}
sudo osqueryi --disable_audit=false --verbose --disable_events=false --config_path ./osq.conf

USB devices

The first query you can run is as follows:

SELECT vendor, model FROM usb_devices WHERE removable = 1;
+---------+--------------+
| vendor | model |
+---------+--------------+
| SanDisk | Cruzer Glide |
+---------+--------------+
SELECT action, DATETIME(time, 'unixepoch') AS datetime, vendor, mounts.path FROM disk_events LEFT JOIN mounts ON mounts.device = disk_events.device;
+--------+---------------------+---------+------------------+
| action | datetime | vendor | path |
+--------+---------------------+---------+------------------+
| add | 2020-08-19 16:16:10 | SanDisk | |
| add | 2020-08-19 16:16:10 | SanDisk | /Volumes/SanDisk |
| add | 2020-08-19 16:16:10 | SanDisk | |
+--------+---------------------+---------+------------------+
SELECT action, uid, SUBSTR(target_path, 18) AS path, SUBSTR(md5, 0, 8) AS hash, time FROM file_events WHERE sha1 <> '' AND target_path NOT LIKE '%DS_Store';
+---------+-----+---------------+---------+------------+
| action | uid | path | hash | time |
+---------+-----+---------------+---------+------------+
| CREATED | 99 | | 43cf614 | 1597853771 |
| CREATED | 99 | Zercurity.png | 8894958 | 1597853800 |
| CREATED | 99 | Zercurity.png | 8894958 | 1597853800 |
| UPDATED | 99 | Zercurity.png | 8894958 | 1597853800 |
| UPDATED | 99 | Zercurity.png | 8894958 | 1597853800 |
+---------+-----+---------------+---------+------------+
SELECT mounts.path FROM disk_events 
INNER JOIN mounts ON mounts.device = disk_events.device
WHERE vendor IN (
SELECT vendor FROM usb_devices
WHERE removable = 1
)
+--------------------+
| path |
+--------------------+
| /Volumes/Zercurity |
+--------------------+
WITH target_paths AS (
SELECT mounts.path FROM disk_events
INNER JOIN mounts ON mounts.device = disk_events.device
WHERE vendor IN (
SELECT vendor FROM usb_devices
WHERE removable = 1
)
)
SELECT * FROM file_events WHERE target_path LIKE (SELECT path || '%' FROM target_paths);

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zercurity

Zercurity

Real-time security and compliance delivered.