Execution from a Removable Media with Network Connection

Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
11possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
12Autorun features when the media is inserted into a system and executes.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Execution from a Removable Media with Network Connection"
19risk_score = 21
20rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Initial Access",
27    "Data Source: Elastic Defend",
28    "Resources: Investigation Guide",
29]
30type = "eql"
31
32query = '''
33sequence by process.entity_id with maxspan=5m
34 [process where host.os.type == "windows" and event.action == "start" and
35
36  /* Direct Exec from USB */
37  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
38  (process.code_signature.trusted == false or process.code_signature.exists == false) and
39
40  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
41 [network where host.os.type == "windows" and event.action == "connection_attempted"]
42'''
43note = """## Triage and analysis
44
45> **Disclaimer**:
46> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
47
48### Investigating Execution from a Removable Media with Network Connection
49
50Removable media, like USB drives, are often used for data transfer but can be exploited by adversaries to introduce malware into isolated systems. Attackers may leverage autorun features to execute malicious code upon insertion. The detection rule identifies suspicious process executions from USB devices, especially those lacking valid code signatures, and correlates them with network connection attempts, signaling potential unauthorized access efforts.
51
52### Possible investigation steps
53
54- Review the process execution details, focusing on the process.entity_id to identify the specific process that was executed from the USB device.
55- Check the process.Ext.device.bus_type and process.Ext.device.product_id fields to confirm the involvement of a USB device and gather information about the specific device used.
56- Investigate the process.code_signature fields to determine if the process lacks a valid code signature, which could indicate malicious intent.
57- Correlate the process execution with network connection attempts by examining the network event logs, particularly looking for any unusual or unauthorized connection attempts.
58- Assess the context of the network connection attempt, including the destination IP address and port, to evaluate the potential risk and intent of the connection.
59- Gather additional context by reviewing recent activity on the host, such as other process executions or file modifications, to identify any further signs of compromise.
60- If necessary, isolate the affected system to prevent further unauthorized access or data exfiltration while continuing the investigation.
61
62### False positive analysis
63
64- Legitimate software installations from USB drives may trigger the rule. To manage this, create exceptions for known software installers by verifying their code signatures and adding them to an allowlist.
65- IT administrators often use USB devices for system updates or maintenance. Identify and exclude these activities by correlating them with known administrator accounts or devices.
66- Some organizations use USB devices for regular data transfers. Establish a baseline of normal USB activity and exclude these patterns from triggering alerts.
67- Devices with expired but previously trusted code signatures might be flagged. Regularly update the list of trusted certificates and exclude processes with known expired signatures that are still considered safe.
68- Network connection attempts by legitimate applications running from USB drives can be mistaken for threats. Monitor and document these applications, then configure exceptions based on their process names and network behavior.
69
70### Response and remediation
71
72- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
73- Disable autorun features on all systems to prevent automatic execution of potentially malicious code from removable media.
74- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware.
75- Review and block any suspicious network connections originating from the affected system to prevent communication with potential command and control servers.
76- Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action.
77- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected.
78- Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts."""
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1091"
85name = "Replication Through Removable Media"
86reference = "https://attack.mitre.org/techniques/T1091/"
87
88
89[rule.threat.tactic]
90id = "TA0001"
91name = "Initial Access"
92reference = "https://attack.mitre.org/tactics/TA0001/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Execution from a Removable Media with Network Connection

Removable media, like USB drives, are often used for data transfer but can be exploited by adversaries to introduce malware into isolated systems. Attackers may leverage autorun features to execute malicious code upon insertion. The detection rule identifies suspicious process executions from USB devices, especially those lacking valid code signatures, and correlates them with network connection attempts, signaling potential unauthorized access efforts.

Possible investigation steps

  • Review the process execution details, focusing on the process.entity_id to identify the specific process that was executed from the USB device.
  • Check the process.Ext.device.bus_type and process.Ext.device.product_id fields to confirm the involvement of a USB device and gather information about the specific device used.
  • Investigate the process.code_signature fields to determine if the process lacks a valid code signature, which could indicate malicious intent.
  • Correlate the process execution with network connection attempts by examining the network event logs, particularly looking for any unusual or unauthorized connection attempts.
  • Assess the context of the network connection attempt, including the destination IP address and port, to evaluate the potential risk and intent of the connection.
  • Gather additional context by reviewing recent activity on the host, such as other process executions or file modifications, to identify any further signs of compromise.
  • If necessary, isolate the affected system to prevent further unauthorized access or data exfiltration while continuing the investigation.

False positive analysis

  • Legitimate software installations from USB drives may trigger the rule. To manage this, create exceptions for known software installers by verifying their code signatures and adding them to an allowlist.
  • IT administrators often use USB devices for system updates or maintenance. Identify and exclude these activities by correlating them with known administrator accounts or devices.
  • Some organizations use USB devices for regular data transfers. Establish a baseline of normal USB activity and exclude these patterns from triggering alerts.
  • Devices with expired but previously trusted code signatures might be flagged. Regularly update the list of trusted certificates and exclude processes with known expired signatures that are still considered safe.
  • Network connection attempts by legitimate applications running from USB drives can be mistaken for threats. Monitor and document these applications, then configure exceptions based on their process names and network behavior.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Disable autorun features on all systems to prevent automatic execution of potentially malicious code from removable media.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware.
  • Review and block any suspicious network connections originating from the affected system to prevent communication with potential command and control servers.
  • Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action.
  • Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected.
  • Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts.

Related rules

to-top