Techniques
Sample rules
Windows Process Executed From Removable Media
- source: splunk
- technicques:
- T1200
- T1025
- T1091
Description
This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_current_directory=*
AND
NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product Processes.process_current_directory
| `drop_dm_object_name(Processes)`
| rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)"
| where isnotnull(object_handle)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| join dest,object_handle
[
| tstats `security_content_summariesonly` count values(Registry.action) as action values(Registry.process_guid) as process_guid values(Registry.process_id) as process_id values(Registry.registry_hive) as registry_hive values(Registry.registry_key_name) as registry_key_name values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_type) as registry_value_type values(Registry.status) as status values(Registry.user) as user values(Registry.vendor_product) as vendor_product FROM datamodel=Endpoint.Registry
WHERE Registry.registry_value_data="*:\\*"
AND
Registry.registry_path="*USBSTOR*"
AND
Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")
BY Registry.dest,Registry.registry_value_data, Registry.registry_path
| `drop_dm_object_name(Registry)`
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","")
]
| `windows_process_executed_from_removable_media_filter`
Windows USBSTOR Registry Key Modification
- source: splunk
- technicques:
- T1200
- T1025
- T1091
Description
This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry
WHERE Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")
AND
Registry.registry_value_name ="FriendlyName"
BY Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive Registry.registry_path
Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user
Registry.vendor_product
| `drop_dm_object_name(Registry)`
| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_usbstor_registry_key_modification_filter`
Windows WPDBusEnum Registry Key Modification
- source: splunk
- technicques:
- T1200
- T1025
- T1091
Description
This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry
WHERE Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")
AND
Registry.registry_value_name ="FriendlyName"
AND
Registry.registry_path="*USBSTOR*"
BY Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive Registry.registry_path
Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user
Registry.vendor_product
| `drop_dm_object_name(Registry)`
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wpdbusenum_registry_key_modification_filter`