Name:Windows Process Executed From Removable Media id:b483804a-4cc0-49a4-9f00-ac29ba844d08 version:3 date:2025-03-27 author:Steven Dick status:production type:Anomaly Description:This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. Data_source:
-Sysmon EventID 1 AND Sysmon EventID 12
-Sysmon EventID 1 AND Sysmon EventID 13
search:| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product Processes.process_current_directory | `drop_dm_object_name(Processes)` | rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)" | where isnotnull(object_handle) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join dest,object_handle [| tstats `security_content_summariesonly` count values(Registry.action) as action values(Registry.process_guid) as process_guid values(Registry.process_id) as process_id values(Registry.registry_hive) as registry_hive values(Registry.registry_key_name) as registry_key_name values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_type) as registry_value_type values(Registry.status) as status values(Registry.user) as user values(Registry.vendor_product) as vendor_product from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data, Registry.registry_path
how_to_implement:To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets. known_false_positives:Legitimate USB activity will also be detected. Please verify and investigate as appropriate. References: -https://attack.mitre.org/techniques/T1200/ -https://www.cisa.gov/news-events/news/using-caution-usb-drives -https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" and user= "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'Investigate USB events on $dest$' search:'| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Protection' asset_type:Endpoint mitre_attack_id: - 'T1200' - 'T1025' - 'T1091' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
