| ID | Technique | Tactic |
|---|---|---|
| T1025 | Data from Removable Media | Collection |
| T1091 | Replication Through Removable Media | Initial Access |
| T1200 | Hardware Additions | Lateral Movement |
Detection: Windows USBSTOR Registry Key Modification
Description
This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
Search
1
2| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry
3 WHERE Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")
4 AND
5 Registry.registry_value_name ="FriendlyName"
6 BY Registry.action Registry.dest Registry.process_guid
7 Registry.process_id Registry.registry_hive Registry.registry_path
8 Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
9 Registry.registry_value_type Registry.status Registry.user
10 Registry.vendor_product
11
12| `drop_dm_object_name(Registry)`
13
14| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)
15
16| `security_content_ctime(firstTime)`
17
18| `security_content_ctime(lastTime)`
19
20| `windows_usbstor_registry_key_modification_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 13 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Sysmon EventID 12 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| windows_usbstor_registry_key_modification_filter | search * |
windows_usbstor_registry_key_modification_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Delivery
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model.
Known False Positives
Legitimate USB activity will also be detected. Please verify and investigate as appropriate.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ | dest | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| object_name | registry_value_name |
| object_handle | registry_value_text |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 8