legitimate usb activity will also be detected. please verify and investigate as appropriate.

Techniques

Sample rules

Windows WPDBusEnum Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data 

| `drop_dm_object_name(Registry)`

| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `windows_wpdbusenum_registry_key_modification_filter`

Windows Process Executed From Removable Media

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory

| `drop_dm_object_name(Processes)` 

| rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)"

| where isnotnull(object_handle)

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| join dest,object_handle
  [
| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path
   
| `drop_dm_object_name(Registry)`
   
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")
  ]

| `windows_process_executed_from_removable_media_filter`

Windows USBSTOR Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path

| `drop_dm_object_name(Registry)`

| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&amp;"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| `windows_usbstor_registry_key_modification_filter`