Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
h
Hello_There
05/18/2021, 7:18 PMHi all,ย I have a doubt that can be a little stupid. Is there a table to monitor new devices on windows or to monitor new devices plugged into the USB?
I know that for linux there is a table, but for Windows I didn't notice the most suitable one.
c
CptOfEvilMinions
05/19/2021, 6:56 PMI don't see the devices table used on Linux for Windows according to osquery.io/schema. However, you might be able to use the
disk_infoโ
1
Just spit balling here but Windows Events might have an EventID for new USB devices. If so you can use the
windows_eventlogm
MarkMurdock
05/21/2021, 3:33 AMYou can narrow in on particular events, but I suggest checking the results from:
SELECT * from windows_events WHERE provider_name='Microsoft-Windows-Kernel-PnP';๐ 1
Another option would be to use the kolide_wmi table and run something like this:
WITH pnp_raw AS (
SELECT * FROM kolide_wmi WHERE class = 'Win32_PnPEntity' AND properties = 'Availability,Caption,ClassGuid,CompatibleID,ConfigManagerErrorCode,ConfigManagerUserConfig,CreationClassName,Description,DeviceID,ErrorCleared,ErrorDescription,HardwareID,InstallDate,LastErrorCode,Manufacturer,Name,PNPClass,PNPDeviceID,PowerManagementCapabilities,PowerManagementSupported,Present,Service,Status,StatusInfo,SystemCreationClassName,SystemName'),
pivot_wmi AS (
SELECT
MAX(CASE WHEN key = 'Availability' THEN value END) AS availability,
MAX(CASE WHEN key = 'Caption' THEN value END) AS caption,
MAX(CASE WHEN key = 'ClassGuid' THEN value END) AS class_guid,
MAX(CASE WHEN key = 'CompatibleID' THEN value END) AS compatible_id,
MAX(CASE WHEN key = 'ConfigManagerErrorCode' THEN value END) AS config_mgr_err_code,
MAX(CASE WHEN key = 'ConfigManagerUserConfig' THEN value END) AS config_mgr_user_config,
MAX(CASE WHEN key = 'CreationClassName' THEN value END) AS creation_class_name,
MAX(CASE WHEN key = 'Description' THEN value END) AS description,
MAX(CASE WHEN key = 'DeviceID' THEN value END) AS device_id,
MAX(CASE WHEN key = 'ErrorCleared' THEN value END) AS error_cleared,
MAX(CASE WHEN key = 'ErrorDescription' THEN value END) AS error_description,
MAX(CASE WHEN key = 'HardwareID' THEN value END) AS hardware_id,
MAX(CASE WHEN key = 'InstallDate' THEN value END) AS install_date,
MAX(CASE WHEN key = 'LastErrorCode' THEN value END) AS last_error_code,
MAX(CASE WHEN key = 'Manufacturer' THEN value END) AS manufacturer,
MAX(CASE WHEN key = 'Name' THEN value END) AS name,
MAX(CASE WHEN key = 'PNPClass' THEN value END) AS pnp_class,
MAX(CASE WHEN key = 'PNPDeviceID' THEN value END) AS pnp_device_id,
MAX(CASE WHEN key = 'PowerManagementCapabilities' THEN value END) AS pwr_mgmt_capabilities,
MAX(CASE WHEN key = 'PowerManagementSupported' THEN value END) AS pwr_mgmt_supported,
MAX(CASE WHEN key = 'Present' THEN value END) AS present,
MAX(CASE WHEN key = 'Service' THEN value END) AS service,
MAX(CASE WHEN key = 'Status' THEN value END) AS status,
MAX(CASE WHEN key = 'StatusInfo' THEN value END) AS status_info,
MAX(CASE WHEN key = 'SystemCreationClassName' THEN value END) AS system_creation_class_name,
MAX(CASE WHEN key = 'SystemName ' THEN value END) AS system_name
FROM pnp_raw
GROUP BY parent)
SELECT * FROM pivot_wmi WHERE pnp_class = 'USBDevice'๐ 1
c
CptOfEvilMinions
05/21/2021, 6:21 PMUsing WMI is an excellent suggestion! I didn't even think of that.
h
Hello_There
05/25/2021, 2:25 PM@CptOfEvilMinions hii
your tip for looking at the "disk_info" table was the one that suited me so I can filter through the "USB" type field and get the following example result
Disk drive13997486080Kingston DataTraveler 2.0 USB Device\\.\PHYSICALDRIVE1(Standard disk drives)\\.\PHYSICALDRIVE11USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00\0013729B6EB8F9B0361F0EB6&00013729B6EB8F9B0361F0EB6
๐artyparrot: 1
p
puffycid
05/29/2021, 8:30 PMThe windows registry also contains quite a bit of data of inserted USB devices
https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing
https://boncaldoforensics.wordpress.com/2018/08/18/dfs-03-was-a-usb-drive-inserted-into-my-windows-computer
But it sounds like disk_info works
๐ 1