https://github.com/osquery/osquery logo
Powered by
#windows
Title
# windows
h

Hello_There

05/18/2021, 7:18 PM
Hi all,  I have a doubt that can be a little stupid. Is there a table to monitor new devices on windows or to monitor new devices plugged into the USB? I know that for linux there is a table, but for Windows I didn't notice the most suitable one.
c

CptOfEvilMinions

05/19/2021, 6:56 PM
I don't see the devices table used on Linux for Windows according to osquery.io/schema. However, you might be able to use the 
disk_info
 table.
1
Just spit balling here but Windows Events might have an EventID for new USB devices. If so you can use the 
windows_eventlog
 table to query that event ID
m

MarkMurdock

05/21/2021, 3:33 AM
You can narrow in on particular events, but I suggest checking the results from: 
SELECT * from windows_events WHERE provider_name='Microsoft-Windows-Kernel-PnP';
👀 1
Another option would be to use the kolide_wmi table and run something like this:
Copy code
WITH pnp_raw AS (
  SELECT * FROM kolide_wmi WHERE class = 'Win32_PnPEntity' AND properties = 'Availability,Caption,ClassGuid,CompatibleID,ConfigManagerErrorCode,ConfigManagerUserConfig,CreationClassName,Description,DeviceID,ErrorCleared,ErrorDescription,HardwareID,InstallDate,LastErrorCode,Manufacturer,Name,PNPClass,PNPDeviceID,PowerManagementCapabilities,PowerManagementSupported,Present,Service,Status,StatusInfo,SystemCreationClassName,SystemName'),
pivot_wmi AS (
  SELECT 
    MAX(CASE WHEN key = 'Availability' THEN value END) AS availability,
    MAX(CASE WHEN key = 'Caption' THEN value END) AS caption,
    MAX(CASE WHEN key = 'ClassGuid' THEN value END) AS class_guid,
    MAX(CASE WHEN key = 'CompatibleID' THEN value END) AS compatible_id,
    MAX(CASE WHEN key = 'ConfigManagerErrorCode' THEN value END) AS config_mgr_err_code,
    MAX(CASE WHEN key = 'ConfigManagerUserConfig' THEN value END) AS config_mgr_user_config,
    MAX(CASE WHEN key = 'CreationClassName' THEN value END) AS creation_class_name,
    MAX(CASE WHEN key = 'Description' THEN value END) AS description,
    MAX(CASE WHEN key = 'DeviceID' THEN value END) AS device_id,
    MAX(CASE WHEN key = 'ErrorCleared' THEN value END) AS error_cleared,
    MAX(CASE WHEN key = 'ErrorDescription' THEN value END) AS error_description,
    MAX(CASE WHEN key = 'HardwareID' THEN value END) AS hardware_id,
    MAX(CASE WHEN key = 'InstallDate' THEN value END) AS install_date,
    MAX(CASE WHEN key = 'LastErrorCode' THEN value END) AS last_error_code,
    MAX(CASE WHEN key = 'Manufacturer' THEN value END) AS manufacturer,
    MAX(CASE WHEN key = 'Name' THEN value END) AS name,
    MAX(CASE WHEN key = 'PNPClass' THEN value END) AS pnp_class,
    MAX(CASE WHEN key = 'PNPDeviceID' THEN value END) AS pnp_device_id,
    MAX(CASE WHEN key = 'PowerManagementCapabilities' THEN value END) AS pwr_mgmt_capabilities,
    MAX(CASE WHEN key = 'PowerManagementSupported' THEN value END) AS pwr_mgmt_supported,
    MAX(CASE WHEN key = 'Present' THEN value END) AS present,
    MAX(CASE WHEN key = 'Service' THEN value END) AS service,
    MAX(CASE WHEN key = 'Status' THEN value END) AS status,
    MAX(CASE WHEN key = 'StatusInfo' THEN value END) AS status_info,
    MAX(CASE WHEN key = 'SystemCreationClassName' THEN value END) AS system_creation_class_name,
    MAX(CASE WHEN key = 'SystemName ' THEN value END) AS system_name
  FROM pnp_raw
  GROUP BY parent)
SELECT * FROM pivot_wmi WHERE pnp_class = 'USBDevice'
👀 1
c

CptOfEvilMinions

05/21/2021, 6:21 PM
Using WMI is an excellent suggestion! I didn't even think of that.
h

Hello_There

05/25/2021, 2:25 PM
@CptOfEvilMinions hii
your tip for looking at the "disk_info" table was the one that suited me so I can filter through the "USB" type field and get the following example result Disk drive13997486080Kingston DataTraveler 2.0 USB Device\\.\PHYSICALDRIVE1(Standard disk drives)\\.\PHYSICALDRIVE11USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\0013729B6EB8F9B0361F0EB6&00013729B6EB8F9B0361F0EB6
🦜 1
p

puffycid

05/29/2021, 8:30 PM
👀 1
2 Views
Powered by