| USB flash drives are very common and can be found | | | | Set wmi = GetObject("winmgmts:\\" & |
| in almost every computerized environment for storing | | | | strComputer & "\root\cimv2") |
| and transferring data between computers. These USB | | | | Set wmiEvent = wmi.ExecNotificationQuery("select * |
| devices make it really easy for potential attacker to | | | | from __InstanceOperationEvent within 1 where |
| exploit unprotected computers with malicious virus and | | | | TargetInstance ISA 'Win32_PnPEntity' and |
| Trojan software and provide a gateway to the | | | | TargetInstance.Description='USB Mass Storage |
| network for manipulating sensitive data. | | | | Device'") |
| Detecting USB storage devices | | | | While True |
| There are some nice tools that can be found on the | | | | Set usb = wmiEvent.NextEvent() |
| net that will notify about USB devices on local and | | | | Select Case usb.Path_.Class |
| remote windows platforms. But most of them are not | | | | Case "__InstanceCreationEvent" WScript.Echo("USB |
| free and will require an installation of an agent on the | | | | device found") |
| remote windows platforms. Using the preinstalled | | | | Case "__InstanceDeletionEvent" WScript.Echo("USB |
| Windows Management Instrumentation (WMI) on | | | | device removed") |
| windows platforms is free and will not require any | | | | Case "__InstanceModificationEvent" |
| remote agent. It will only require a simple script that can | | | | WScript.Echo("USB device modified") |
| be run manually from a privileged user account or from | | | | End Select |
| another network monitoring software like Security | | | | Wend |
| Center: IDS IPS Network Access Protection and | | | | JScript (should be copied and saved as .js |
| Switch Protector: NAC Network Access Control | | | | file):strComputer = "."; //(Any computer name or |
| Monitoring network security scanners. | | | | address)var wmi = GetObject("winmgmts:\\\\" + |
| WMI notification event script | | | | strComputer + "\\root\\cimv2");var wmiEvent = |
| The following USB notification event script will send an | | | | wmi.ExecNotificationQuery("select * from |
| event message in response to any operation of USB | | | | __InstanceOperationEvent within 1 where |
| device on local or remote windows platform. For | | | | TargetInstance ISA 'Win32_PnPEntity' and |
| simplicity, the script is using a temporary event | | | | TargetInstance.Description='USB Mass Storage |
| subscription, which exists only as long as the script is | | | | Device'");while(true) {var usb = |
| running. Some modifications will be needed for a | | | | wmiEvent.NextEvent();switch (usb.Path_.Class) {case |
| permanent event subscription that will not require a | | | | "__InstanceCreationEvent": {WScript.Echo("USB |
| perpetually running script: | | | | device found"); break;}case "__InstanceDeletionEvent": |
| VBScript (should be copied and saved as .vbs | | | | {WScript.Echo("USB device removed"); break;}case |
| file):strComputer = "." '(Any computer name or | | | | "__InstanceModificationEvent": {WScript. |
| address) | | | | |