Execution from a Removable Media with Network Connection
Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/27"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
13possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
14Autorun features when the media is inserted into a system and executes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Execution from a Removable Media with Network Connection"
21risk_score = 21
22rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
25type = "eql"
26
27query = '''
28sequence by process.entity_id with maxspan=5m
29 [process where host.os.type == "windows" and event.action == "start" and
30
31 /* Direct Exec from USB */
32 (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
33 (process.code_signature.trusted == false or process.code_signature.exists == false) and
34
35 not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
36 [network where host.os.type == "windows" and event.action == "connection_attempted"]
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1091"
43name = "Replication Through Removable Media"
44reference = "https://attack.mitre.org/techniques/T1091/"
45
46[rule.threat.tactic]
47id = "TA0001"
48name = "Initial Access"
49reference = "https://attack.mitre.org/tactics/TA0001/"
Related rules
- Potential Remote File Execution via MSIEXEC
- Remote XSL Script Execution via COM
- Suspicious HTML File Creation
- Windows Script Interpreter Executing Process via WMI
- Command Execution via SolarWinds Process