External Disk Drive Or USB Storage Device Was Recognized By The System

Aug 12, 2024 · attack.t1091 attack.t1200 attack.lateral-movement attack.initial-access ·

Detects external disk drives or plugged-in USB devices.

Sigma rule (View on GitHub)

 1title: External Disk Drive Or USB Storage Device Was Recognized By The System
 2id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
 3status: test
 4description: Detects external disk drives or plugged-in USB devices.
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
 7author: Keith Wright
 8date: 2019-11-20
 9modified: 2024-02-09
10tags:
11    - attack.t1091
12    - attack.t1200
13    - attack.lateral-movement
14    - attack.initial-access
15logsource:
16    product: windows
17    service: security
18detection:
19    selection_eid:
20        EventID: 6416
21    selection_field:
22        - ClassName: 'DiskDrive'
23        - DeviceDescription: 'USB Mass Storage Device'
24    condition: all of selection_*
25falsepositives:
26    - Likely
27level: low

References

6416(S) A new external device was recognized by the System. - Windows 10

Describes security event 6416(S) A new external device was recognized by the System.

Read More

External Disk Drive Or USB Storage Device Was Recognized By The System

Sigma rule (View on GitHub)

References

6416(S) A new external device was recognized by the System. - Windows 10

Related rules