legitimate usb activity will also be detected. please verify and investigate as appropriate.

Techniques

Sample rules

Detect USB device insertion

source: splunk
technicques:

Description

The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.

Detection logic


| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest 
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(earliest)`
| `security_content_ctime(latest)`  
| `detect_usb_device_insertion_filter`

Windows USBSTOR Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path

| `drop_dm_object_name(Registry)`

| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&amp;"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| `windows_usbstor_registry_key_modification_filter`

Windows Process Executed From Removable Media

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory

| `drop_dm_object_name(Processes)` 

| rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)"

| where isnotnull(object_handle)

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| join dest,object_handle
  [
| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path
   
| `drop_dm_object_name(Registry)`
   
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")
  ]

| `windows_process_executed_from_removable_media_filter`

Windows WPDBusEnum Registry Key Modification

source: splunk
technicques:
- T1200
- T1025
- T1091

Description

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Detection logic


| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data 

| `drop_dm_object_name(Registry)`

| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `windows_wpdbusenum_registry_key_modification_filter`