Detection: Windows Process Executed From Removable Media

Description

This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

Search

 1
 2| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory
 3
 4| `drop_dm_object_name(Processes)` 
 5
 6| rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)"
 7
 8| where isnotnull(object_handle)
 9
10| `security_content_ctime(firstTime)` 
11
12| `security_content_ctime(lastTime)`
13
14| join dest,object_handle
15  [
16| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path
17   
18| `drop_dm_object_name(Registry)`
19   
20| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&amp;"),2),"PROD_","")
21  ]
22
23| `windows_process_executed_from_removable_media_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	'crowdstrike:events:sensor'	'crowdstrike'
Sysmon EventID 1	Windows	'xmlwineventlog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
Sysmon EventID 12	Windows	'xmlwineventlog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
Sysmon EventID 13	Windows	'xmlwineventlog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets.

Known False Positives

Legitimate USB activity will also be detected. Please verify and investigate as appropriate.

Associated Analytic Story

• Data Protection

Risk Based Analytics (RBA)

Risk Message:

The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$

References

• https://attack.mitre.org/techniques/T1200/

• https://www.cisa.gov/news-events/news/using-caution-usb-drives

• https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1