First Time Seen Removable Device

calendar Oct 28, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Exfiltration Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/03/16"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 5min_stack_version = "8.14.0"
 6maturity = "production"
 7updated_date = "2024/10/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
13is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
14"""
15from = "now-9m"
16index = [
17    "logs-endpoint.events.registry-*",
18    "winlogbeat-*",
19    "logs-windows.sysmon_operational-*",
20    "endgame-*",
21    "logs-m365_defender.event-*",
22    "logs-sentinel_one_cloud_funnel.*",
23]
24language = "kuery"
25license = "Elastic License v2"
26name = "First Time Seen Removable Device"
27references = [
28    "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html",
29    "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings",
30]
31risk_score = 21
32rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08"
33severity = "low"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Initial Access",
39    "Tactic: Exfiltration",
40    "Data Source: Elastic Endgame",
41    "Data Source: Elastic Defend",
42    "Data Source: Sysmon",
43    "Data Source: Microsoft Defender for Endpoint",
44    "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "new_terms"
48
49query = '''
50event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR*
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1091"
58name = "Replication Through Removable Media"
59reference = "https://attack.mitre.org/techniques/T1091/"
60
61
62[rule.threat.tactic]
63id = "TA0001"
64name = "Initial Access"
65reference = "https://attack.mitre.org/tactics/TA0001/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1052"
70name = "Exfiltration Over Physical Medium"
71reference = "https://attack.mitre.org/techniques/T1052/"
72[[rule.threat.technique.subtechnique]]
73id = "T1052.001"
74name = "Exfiltration over USB"
75reference = "https://attack.mitre.org/techniques/T1052/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0010"
81name = "Exfiltration"
82reference = "https://attack.mitre.org/tactics/TA0010/"
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["registry.path"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-7d"

References

Related rules

to-top