legitimate usb activity will also be detected. please verify and investigate as appropriate.

Techniques

Sample rules

Windows WPDBusEnum Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry 
where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") 
AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" 
by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path 
Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name  
Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 

| `drop_dm_object_name(Registry)`

| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `windows_wpdbusenum_registry_key_modification_filter`

Windows Process Executed From Removable Media

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") 
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
Processes.user Processes.user_id Processes.vendor_product Processes.process_current_directory

| `drop_dm_object_name(Processes)` 

| rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)" 

| where isnotnull(object_handle) 

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| join dest,object_handle 
  [
| tstats `security_content_summariesonly` count values(Registry.action) as action values(Registry.process_guid) as process_guid values(Registry.process_id) as process_id values(Registry.registry_hive) as registry_hive values(Registry.registry_key_name) as registry_key_name values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_type) as registry_value_type values(Registry.status) as status values(Registry.user) as user values(Registry.vendor_product) as vendor_product from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data, Registry.registry_path 
  
| `drop_dm_object_name(Registry)` 
  
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")
      ]

| `windows_process_executed_from_removable_media_filter`

Windows USBSTOR Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") 
AND Registry.registry_value_name ="FriendlyName" 
by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path 
Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name  
Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 

| `drop_dm_object_name(Registry)`

| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&amp;"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| `windows_usbstor_registry_key_modification_filter`