Skip to content

Commit a51cebb

Browse files
nterl0knterl0k
authored
Update windows_detect_usbstor_registry_key_modification.yml
update search yaml for better readability / remove single quote in SPL issues
1 parent 42107ee commit a51cebb

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

detections/endpoint/windows_detect_usbstor_registry_key_modification.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,13 @@ description: This analytic is used to identify when a USB removable media device
99
data_source:
1010
- Sysmon Event ID 12
1111
- Sysmon Event ID 13
12-
search: '| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path
13-
| `drop_dm_object_name(Registry)`
14-
| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)
15-
| `security_content_ctime(firstTime)`
16-
| `security_content_ctime(lastTime)`
17-
| `windows_detect_usbstor_registry_key_modification_filter`'
12+
search: |-
13+
| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path
14+
| `drop_dm_object_name(Registry)`
15+
| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0)
16+
| `security_content_ctime(firstTime)`
17+
| `security_content_ctime(lastTime)`
18+
| `windows_detect_usbstor_registry_key_modification_filter`
1819
how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model.
1920
known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate.
2021
references:

0 commit comments

Comments
 (0)