Execution from a Removable Media with Network Connection

 1[metadata]
 2creation_date = "2023/09/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
11possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
12Autorun features when the media is inserted into a system and executes.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Execution from a Removable Media with Network Connection"
19risk_score = 21
20rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Initial Access",
27    "Data Source: Elastic Defend",
28]
29type = "eql"
30
31query = '''
32sequence by process.entity_id with maxspan=5m
33 [process where host.os.type == "windows" and event.action == "start" and
34  
35  /* Direct Exec from USB */
36  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
37  (process.code_signature.trusted == false or process.code_signature.exists == false) and 
38  
39  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
40 [network where host.os.type == "windows" and event.action == "connection_attempted"]
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1091"
48name = "Replication Through Removable Media"
49reference = "https://attack.mitre.org/techniques/T1091/"
50
51
52[rule.threat.tactic]
53id = "TA0001"
54name = "Initial Access"
55reference = "https://attack.mitre.org/tactics/TA0001/"