Skip to content

Commit 68d85a2

Browse files
nterl0knterl0k
authored
Update windows_detect_process_executed_from_removable_media.yml
1 parent 84b5c23 commit 68d85a2

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

detections/endpoint/windows_detect_process_executed_from_removable_media.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
name: Windows Detect Process Executed From Removable Media
1+
name: Windows Process Executed From Removable Media
22
id: b483804a-4cc0-49a4-9f00-ac29ba844d08
33
version: 1
44
date: '2025-01-17'
55
author: Steven Dick
66
status: production
77
type: Anomaly
8-
description: This analytic is used to identify when a process is executed with a removable media device as it's current drive or run path. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
8+
description: This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
99
data_source:
1010
- Windows Security Event ID 4688
1111
- Sysmon Event ID 1
@@ -24,8 +24,8 @@ search: |-
2424
| `drop_dm_object_name(Registry)`
2525
| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","")
2626
]
27-
| `windows_detect_process_executed_from_removable_media_filter`
28-
how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model.
27+
| `windows_process_executed_from_removable_media_filter`
28+
how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets.
2929
known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate.
3030
references:
3131
- https://attack.mitre.org/techniques/T1200/

0 commit comments

Comments
 (0)