USB flash drives are very common and can be found in almost every computing environment to store and transfer data between computers. These USB devices make it really easy for a potential attacker to exploit unprotected computers with malicious viruses and Trojan software and provide a gateway to the network to manipulate sensitive data.

USB storage device detection

There are some good tools to be found on the net that will report USB devices on both local and remote Windows platforms. But most of them are not free and will require an agent to be installed on remote Windows platforms.

WMI notification event script

The following USB notification event script will send an event message in response to any USB device operation on the local or remote Windows platform. For simplicity, the script uses a temporary event subscription, which exists only while the script is running. A few modifications will be needed for a permanent event subscription that won’t require a perpetually running script:

VBScript (must be copied and saved as .vbs file):

strComputer = “.” ‘(Any computer name or address)

Set wmi = GetObject(“winmgmts:” & strComputer & “rootcimv2”)

Set wmiEvent = wmi.ExecNotificationQuery(“select * from __InstanceOperationEvent within 1 where TargetInstance ISA ‘Win32_PnPEntity’ and TargetInstance.Description=’USB Mass Storage Device'”)

While it is true

Set usb = wmiEvent.NextEvent()

Select case usb.Path_.Class

Case “__InstanceCreationEvent” WScript.Echo(“USB device found”)

Case “__InstanceDeletionEvent” WScript.Echo(“USB device deleted”)

Case “__InstanceModificationEvent” WScript.Echo(“USB device modified”)

Finish Select

heading to

JScript (must be copied and saved as .js file):

strComputer = “.”; //(Any computer name or address)

var wmi = GetObject(“winmgmts:” + strComputer + “rootcimv2”);

var wmiEvent = wmi.ExecNotificationQuery(“select * from __InstanceOperationEvent within 1 where TargetInstance ISA ‘Win32_PnPEntity’ and TargetInstance.Description=’USB Mass Storage Device'”);

while (true) {

var usb = wmiEvent.NextEvent();

switch(usb.Path_.Class) {

case “__InstanceCreationEvent”: {WScript.Echo(“USB device found”); pause;}

case “__InstanceDeletionEvent”: { WScript.Echo(“USB device deleted”); pause;}

case “__InstanceModificationEvent”: { WScript.Echo(“USB device modified”); pause;}}}

conclusion

Using the pre-installed Windows Management Instrumentation (WMI) on Windows platforms is free and does not require a remote agent. It will only require a simple script that can be run manually from a privileged user account or from other network monitoring software such as IDS IPS Network Protection and Network Access Control Monitoring network security scanners.

Leave a Reply

Your email address will not be published. Required fields are marked *