First Time Seen Removable Device
Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/16"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
5min_stack_version = "8.14.0"
6maturity = "production"
7updated_date = "2024/10/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
13is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.registry-*",
18 "winlogbeat-*",
19 "logs-windows.sysmon_operational-*",
20 "endgame-*",
21 "logs-m365_defender.event-*",
22 "logs-sentinel_one_cloud_funnel.*",
23]
24language = "kuery"
25license = "Elastic License v2"
26name = "First Time Seen Removable Device"
27references = [
28 "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html",
29 "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings",
30]
31risk_score = 21
32rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08"
33severity = "low"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Initial Access",
39 "Tactic: Exfiltration",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "new_terms"
48
49query = '''
50event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR*
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1091"
58name = "Replication Through Removable Media"
59reference = "https://attack.mitre.org/techniques/T1091/"
60
61
62[rule.threat.tactic]
63id = "TA0001"
64name = "Initial Access"
65reference = "https://attack.mitre.org/tactics/TA0001/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1052"
70name = "Exfiltration Over Physical Medium"
71reference = "https://attack.mitre.org/techniques/T1052/"
72[[rule.threat.technique.subtechnique]]
73id = "T1052.001"
74name = "Exfiltration over USB"
75reference = "https://attack.mitre.org/techniques/T1052/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0010"
81name = "Exfiltration"
82reference = "https://attack.mitre.org/tactics/TA0010/"
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["registry.path"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-7d"
References
Related rules
- Rare SMB Connection to the Internet
- Suspicious PDF Reader Child Process
- Command Execution via SolarWinds Process
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files