|
| 1 | +name: Windows Process Executed From Removable Media |
| 2 | +id: b483804a-4cc0-49a4-9f00-ac29ba844d08 |
| 3 | +version: 1 |
| 4 | +date: '2025-01-17' |
| 5 | +author: Steven Dick |
| 6 | +status: production |
| 7 | +type: Anomaly |
| 8 | +description: This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. |
| 9 | +data_source: |
| 10 | +- Windows Security Event ID 4688 |
| 11 | +- Sysmon Event ID 1 |
| 12 | +- Sysmon Event ID 12 |
| 13 | +- Sysmon Event ID 13 |
| 14 | +- CrowdStrike ProcessRollup2 |
| 15 | +search: |- |
| 16 | + | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory |
| 17 | + | `drop_dm_object_name(Processes)` |
| 18 | + | rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)" |
| 19 | + | where isnotnull(object_handle) |
| 20 | + | `security_content_ctime(firstTime)` |
| 21 | + | `security_content_ctime(lastTime)` |
| 22 | + | join dest,object_handle |
| 23 | + [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path |
| 24 | + | `drop_dm_object_name(Registry)` |
| 25 | + | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") |
| 26 | + ] |
| 27 | + | `windows_process_executed_from_removable_media_filter` |
| 28 | +how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets. |
| 29 | +known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. |
| 30 | +references: |
| 31 | +- https://attack.mitre.org/techniques/T1200/ |
| 32 | +- https://www.cisa.gov/news-events/news/using-caution-usb-drives |
| 33 | +- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ |
| 34 | +drilldown_searches: |
| 35 | +- name: View the detection results for - "$dest$" and "$user$" |
| 36 | + search: '%original_detection_search% | search dest = "$dest$" and user= "$user$"' |
| 37 | + earliest_offset: $info_min_time$ |
| 38 | + latest_offset: $info_max_time$ |
| 39 | +- name: View risk events for the last 7 days for - "$dest$" and "$user$" |
| 40 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 41 | + earliest_offset: $info_min_time$ |
| 42 | + latest_offset: $info_max_time$ |
| 43 | +- name: Investigate USB events on $dest$ |
| 44 | + search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*' |
| 45 | + earliest_offset: $info_min_time$ |
| 46 | + latest_offset: $info_max_time$ |
| 47 | +rba: |
| 48 | + message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$ |
| 49 | + risk_objects: |
| 50 | + - field: user |
| 51 | + type: user |
| 52 | + score: 35 |
| 53 | + - field: dest |
| 54 | + type: system |
| 55 | + score: 35 |
| 56 | + threat_objects: |
| 57 | + - field: process_name |
| 58 | + type: process_name |
| 59 | + - field: object_name |
| 60 | + type: registry_value_name |
| 61 | + - field: object_handle |
| 62 | + type: registry_value_text |
| 63 | +tags: |
| 64 | + analytic_story: |
| 65 | + - Data Protection |
| 66 | + asset_type: Endpoint |
| 67 | + mitre_attack_id: |
| 68 | + - T1200 |
| 69 | + - T1025 |
| 70 | + - T1091 |
| 71 | + product: |
| 72 | + - Splunk Enterprise |
| 73 | + - Splunk Enterprise Security |
| 74 | + - Splunk Cloud |
| 75 | + security_domain: endpoint |
| 76 | +tests: |
| 77 | +- name: True Positive Test |
| 78 | + attack_data: |
| 79 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log |
| 80 | + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| 81 | + sourcetype: XmlWinEventLog |
0 commit comments