| ID | Technique | Tactic |
|---|---|---|
| T1200 | Hardware Additions | Initial Access |
| T1025 | Data from Removable Media | Collection |
| T1091 | Replication Through Removable Media | Initial Access |
Detection: Windows USBSTOR Registry Key Modification
Description
This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
Search
1
2| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path
3
4| `drop_dm_object_name(Registry)`
5
6| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)
7
8| `security_content_ctime(firstTime)`
9
10| `security_content_ctime(lastTime)`
11
12| `windows_usbstor_registry_key_modification_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 12 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Sysmon EventID 13 | Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_usbstor_registry_key_modification_filter | search * |
windows_usbstor_registry_key_modification_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model.
Known False Positives
Legitimate USB activity will also be detected. Please verify and investigate as appropriate.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 10 | object_handle, object_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1