New USB Storage Device Mounted

  1[metadata]
  2creation_date = "2025/11/11"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature."
  6min_stack_version = "9.2.0"
  7updated_date = "2025/11/11"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies newly seen removable devices by device.serial_number and host.id using the Elastic Defend device mount events. While this activity
 13is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.device-*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "New USB Storage Device Mounted"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating New USB Storage Device Mounted
 26
 27Removable devices, like USB drives, are common in Windows environments for data transfer. Adversaries exploit these to introduce malware or exfiltrate data, leveraging their plug-and-play nature. The detection rule monitors registry changes for new device names, signaling potential unauthorized access. By focusing on first-time-seen devices, it helps identify suspicious activities linked to data exfiltration or initial access attempts.
 28
 29This detection uses Elastic Defend device control events, Device control helps protect your Windows and Mac endpoints from data loss, malware, and unauthorized access by managing which devices can connect to your computers. Specifically, it restricts which external USB storage devices can connect to hosts that have Elastic Defend installed.
 30
 31
 32### Possible investigation steps
 33
 34- Review the device mount event details to confirm the presence of a new device by checking the device.serial_number.
 35- Check for any subsequent file access or transfer events involving the new device to assess potential data exfiltration.
 36- Investigate the device's history by searching for any previous connections to other systems within the network to determine if it has been used elsewhere.
 37- Analyze any related alerts or logs for additional context or suspicious activities linked to the device.
 38
 39### False positive analysis
 40
 41- Frequent use of company-issued USB drives for legitimate data transfer can trigger alerts. Maintain a list of approved devices and create exceptions for these in the monitoring system.
 42- Software updates or installations via USB drives may be flagged. Identify and whitelist known update devices or processes to prevent unnecessary alerts.
 43- IT department activities involving USB devices for maintenance or troubleshooting can appear suspicious. Coordinate with IT to log and exclude these routine operations from triggering alerts.
 44- Devices used for regular backups might be detected as new. Ensure backup devices are registered and excluded from the rule to avoid false positives.
 45- Personal USB devices used by employees for non-work-related purposes can cause alerts. Implement a policy for registering personal devices and exclude them if deemed non-threatening.
 46
 47### Response and remediation
 48
 49- Immediately isolate the affected host from the network to prevent potential data exfiltration or further spread of malware.
 50- Block the device by serial number using the relevant Elastic Defend Device Control policy.
 51- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious software introduced via the removable device.
 52- If malicious activity is confirmed, collect and preserve relevant logs and evidence for further forensic analysis and potential legal action.
 53- Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats.
 54- Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated.
 55- Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections."""
 56references = [
 57"https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices", 
 58"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend#device-control"
 59]
 60risk_score = 21
 61rule_id = "483832a8-ffdd-4e11-8e96-e0224f7bda9b"
 62severity = "low"
 63tags = [
 64    "Domain: Endpoint", 
 65    "OS: Windows",
 66    "OS: macOS",
 67    "Use Case: Threat Detection",
 68    "Use Case: Device Control",
 69    "Tactic: Initial Access",
 70    "Tactic: Exfiltration",
 71    "Data Source: Elastic Defend",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "new_terms"
 76
 77query = '''
 78host.os.type:(macos or windows) and event.type:device and event.action:mount and event.outcome:success and volume.removable:true
 79'''
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1091"
 86name = "Replication Through Removable Media"
 87reference = "https://attack.mitre.org/techniques/T1091/"
 88
 89
 90[rule.threat.tactic]
 91id = "TA0001"
 92name = "Initial Access"
 93reference = "https://attack.mitre.org/tactics/TA0001/"
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1052"
 98name = "Exfiltration Over Physical Medium"
 99reference = "https://attack.mitre.org/techniques/T1052/"
100[[rule.threat.technique.subtechnique]]
101id = "T1052.001"
102name = "Exfiltration over USB"
103reference = "https://attack.mitre.org/techniques/T1052/001/"
104
105
106
107[rule.threat.tactic]
108id = "TA0010"
109name = "Exfiltration"
110reference = "https://attack.mitre.org/tactics/TA0010/"
111
112[rule.new_terms]
113field = "new_terms_fields"
114value = ["device.serial_number", "host.id"]
115[[rule.new_terms.history_window_start]]
116field = "history_window_start"
117value = "now-7d"