Execution from a Removable Media with Network Connection

 1[metadata]
 2creation_date = "2023/09/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
13possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
14Autorun features when the media is inserted into a system and executes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Execution from a Removable Media with Network Connection"
21risk_score = 21
22rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
25type = "eql"
26
27query = '''
28sequence by process.entity_id with maxspan=5m
29 [process where host.os.type == "windows" and event.action == "start" and
30  
31  /* Direct Exec from USB */
32  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
33  (process.code_signature.trusted == false or process.code_signature.exists == false) and 
34  
35  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
36 [network where host.os.type == "windows" and event.action == "connection_attempted"]
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1091"
43name = "Replication Through Removable Media"
44reference = "https://attack.mitre.org/techniques/T1091/"
45
46[rule.threat.tactic]
47id = "TA0001"
48name = "Initial Access"
49reference = "https://attack.mitre.org/tactics/TA0001/"