First Time Seen Removable Device
Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/16"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
6min_stack_version = "8.4.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies newly seen removable devices by device friendly name using registry modification events. While this activity
13is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Time Seen Removable Device"
20risk_score = 21
21rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08"
22severity = "low"
23references = [
24"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html",
25"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"
26]
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
28timestamp_override = "event.ingested"
29type = "new_terms"
30
31query = '''
32event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR*
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1091"
40name = "Replication Through Removable Media"
41reference = "https://attack.mitre.org/techniques/T1091/"
42
43[rule.threat.tactic]
44id = "TA0001"
45name = "Initial Access"
46reference = "https://attack.mitre.org/tactics/TA0001/"
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1052"
53name = "Exfiltration Over Physical Medium"
54reference = "https://attack.mitre.org/techniques/T1052/"
55
56 [[rule.threat.technique.subtechnique]]
57 id = "T1052.001"
58 name = "Exfiltration over USB"
59 reference = "https://attack.mitre.org/techniques/T1052/001/"
60
61
62[rule.threat.tactic]
63id = "TA0010"
64name = "Exfiltration"
65reference = "https://attack.mitre.org/tactics/TA0010/"
66
67
68[rule.new_terms]
69field = "new_terms_fields"
70value = ["registry.path"]
71[[rule.new_terms.history_window_start]]
72field = "history_window_start"
73value = "now-7d"
References
-
USB storage The USBSTOR driver tracks various information about attached USB storage devices in the key. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR The USBSTOR key contains one or mor...
Read More -
Related rules
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes
- Rare SMB Connection to the Internet
- ScreenConnect Server Spawning Suspicious Processes
- SolarWinds Process Disabling Services via Registry