First Time Seen Removable Device
Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/16"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
5min_stack_version = "8.14.0"
6maturity = "production"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
13is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.registry-*",
18 "winlogbeat-*",
19 "logs-windows.sysmon_operational-*",
20 "endgame-*",
21 "logs-m365_defender.event-*",
22 "logs-sentinel_one_cloud_funnel.*",
23]
24language = "kuery"
25license = "Elastic License v2"
26name = "First Time Seen Removable Device"
27references = [
28 "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html",
29 "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings",
30]
31risk_score = 21
32rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08"
33severity = "low"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Initial Access",
39 "Tactic: Exfiltration",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: SentinelOne",
45 "Resources: Investigation Guide",
46]
47timestamp_override = "event.ingested"
48type = "new_terms"
49
50query = '''
51event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR*
52'''
53note = """## Triage and analysis
54
55> **Disclaimer**:
56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
57
58### Investigating First Time Seen Removable Device
59
60Removable devices, like USB drives, are common in Windows environments for data transfer. Adversaries exploit these to introduce malware or exfiltrate data, leveraging their plug-and-play nature. The detection rule monitors registry changes for new device names, signaling potential unauthorized access. By focusing on first-time-seen devices, it helps identify suspicious activities linked to data exfiltration or initial access attempts.
61
62### Possible investigation steps
63
64- Review the registry event details to confirm the presence of a new device by checking the registry.value for "FriendlyName" and registry.path for USBSTOR.
65- Correlate the timestamp of the registry event with user activity logs to identify which user was logged in at the time of the device connection.
66- Check for any subsequent file access or transfer events involving the new device to assess potential data exfiltration.
67- Investigate the device's history by searching for any previous connections to other systems within the network to determine if it has been used elsewhere.
68- Analyze any related alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint for additional context or suspicious activities linked to the device.
69
70### False positive analysis
71
72- Frequent use of company-issued USB drives for legitimate data transfer can trigger alerts. Maintain a list of approved devices and create exceptions for these in the monitoring system.
73- Software updates or installations via USB drives may be flagged. Identify and whitelist known update devices or processes to prevent unnecessary alerts.
74- IT department activities involving USB devices for maintenance or troubleshooting can appear suspicious. Coordinate with IT to log and exclude these routine operations from triggering alerts.
75- Devices used for regular backups might be detected as new. Ensure backup devices are registered and excluded from the rule to avoid false positives.
76- Personal USB devices used by employees for non-work-related purposes can cause alerts. Implement a policy for registering personal devices and exclude them if deemed non-threatening.
77
78### Response and remediation
79
80- Immediately isolate the affected host from the network to prevent potential data exfiltration or further spread of malware.
81- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious software introduced via the removable device.
82- Review and analyze the registry changes logged by the detection rule to confirm the legitimacy of the device and assess any unauthorized access attempts.
83- If malicious activity is confirmed, collect and preserve relevant logs and evidence for further forensic analysis and potential legal action.
84- Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats.
85- Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated.
86- Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections."""
87
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1091"
93name = "Replication Through Removable Media"
94reference = "https://attack.mitre.org/techniques/T1091/"
95
96
97[rule.threat.tactic]
98id = "TA0001"
99name = "Initial Access"
100reference = "https://attack.mitre.org/tactics/TA0001/"
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1052"
105name = "Exfiltration Over Physical Medium"
106reference = "https://attack.mitre.org/techniques/T1052/"
107[[rule.threat.technique.subtechnique]]
108id = "T1052.001"
109name = "Exfiltration over USB"
110reference = "https://attack.mitre.org/techniques/T1052/001/"
111
112
113
114[rule.threat.tactic]
115id = "TA0010"
116name = "Exfiltration"
117reference = "https://attack.mitre.org/tactics/TA0010/"
118
119[rule.new_terms]
120field = "new_terms_fields"
121value = ["registry.path"]
122[[rule.new_terms.history_window_start]]
123field = "history_window_start"
124value = "now-7d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating First Time Seen Removable Device
Removable devices, like USB drives, are common in Windows environments for data transfer. Adversaries exploit these to introduce malware or exfiltrate data, leveraging their plug-and-play nature. The detection rule monitors registry changes for new device names, signaling potential unauthorized access. By focusing on first-time-seen devices, it helps identify suspicious activities linked to data exfiltration or initial access attempts.
Possible investigation steps
- Review the registry event details to confirm the presence of a new device by checking the registry.value for "FriendlyName" and registry.path for USBSTOR.
- Correlate the timestamp of the registry event with user activity logs to identify which user was logged in at the time of the device connection.
- Check for any subsequent file access or transfer events involving the new device to assess potential data exfiltration.
- Investigate the device's history by searching for any previous connections to other systems within the network to determine if it has been used elsewhere.
- Analyze any related alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint for additional context or suspicious activities linked to the device.
False positive analysis
- Frequent use of company-issued USB drives for legitimate data transfer can trigger alerts. Maintain a list of approved devices and create exceptions for these in the monitoring system.
- Software updates or installations via USB drives may be flagged. Identify and whitelist known update devices or processes to prevent unnecessary alerts.
- IT department activities involving USB devices for maintenance or troubleshooting can appear suspicious. Coordinate with IT to log and exclude these routine operations from triggering alerts.
- Devices used for regular backups might be detected as new. Ensure backup devices are registered and excluded from the rule to avoid false positives.
- Personal USB devices used by employees for non-work-related purposes can cause alerts. Implement a policy for registering personal devices and exclude them if deemed non-threatening.
Response and remediation
- Immediately isolate the affected host from the network to prevent potential data exfiltration or further spread of malware.
- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any malicious software introduced via the removable device.
- Review and analyze the registry changes logged by the detection rule to confirm the legitimacy of the device and assess any unauthorized access attempts.
- If malicious activity is confirmed, collect and preserve relevant logs and evidence for further forensic analysis and potential legal action.
- Notify the security team and relevant stakeholders about the incident, providing details of the device and any identified threats.
- Implement a temporary block on the use of removable devices across the network until the threat is fully contained and remediated.
- Enhance monitoring and detection capabilities by updating security tools and rules to better identify similar threats in the future, focusing on registry changes and device connections.
References
Related rules
- Command Execution via SolarWinds Process
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes
- Mounting Hidden or WebDav Remote Shares