-
Notifications
You must be signed in to change notification settings - Fork 384
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3283 from nterl0k/nterl0k-t1200-sysmon-usb-use-ex…
…ecution Nterl0k - T1200 - Are you down with USB ?
- Loading branch information
Showing
3 changed files
with
215 additions
and
0 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
detections/endpoint/windows_process_executed_from_removable_media.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| name: Windows Process Executed From Removable Media | ||
| id: b483804a-4cc0-49a4-9f00-ac29ba844d08 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Steven Dick | ||
| status: production | ||
| type: Anomaly | ||
| description: This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. | ||
| data_source: | ||
| - Windows Security Event ID 4688 | ||
| - Sysmon Event ID 1 | ||
| - Sysmon Event ID 12 | ||
| - Sysmon Event ID 13 | ||
| - CrowdStrike ProcessRollup2 | ||
| search: |- | ||
| | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory | ||
| | `drop_dm_object_name(Processes)` | ||
| | rex field=process_current_directory "^(?<object_handle>[^\\\]+\\\)" | ||
| | where isnotnull(object_handle) | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | join dest,object_handle | ||
| [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path | ||
| | `drop_dm_object_name(Registry)` | ||
| | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") | ||
| ] | ||
| | `windows_process_executed_from_removable_media_filter` | ||
| how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets. | ||
| known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1200/ | ||
| - https://www.cisa.gov/news-events/news/using-caution-usb-drives | ||
| - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$dest$" and "$user$" | ||
| search: '%original_detection_search% | search dest = "$dest$" and user= "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$dest$" and "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: Investigate USB events on $dest$ | ||
| search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$ | ||
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 35 | ||
| - field: dest | ||
| type: system | ||
| score: 35 | ||
| threat_objects: | ||
| - field: process_name | ||
| type: process_name | ||
| - field: object_name | ||
| type: registry_value_name | ||
| - field: object_handle | ||
| type: registry_value_text | ||
| tags: | ||
| analytic_story: | ||
| - Data Protection | ||
| asset_type: Endpoint | ||
| mitre_attack_id: | ||
| - T1200 | ||
| - T1025 | ||
| - T1091 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
67 changes: 67 additions & 0 deletions
67
detections/endpoint/windows_usbstor_registry_key_modification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| name: Windows USBSTOR Registry Key Modification | ||
| id: a345980a-417d-4ed3-9fb4-cac30c9405a0 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Steven Dick | ||
| status: production | ||
| type: Anomaly | ||
| description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. | ||
| data_source: | ||
| - Sysmon Event ID 12 | ||
| - Sysmon Event ID 13 | ||
| search: |- | ||
| | tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path | ||
| | `drop_dm_object_name(Registry)` | ||
| | eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0) | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `windows_usbstor_registry_key_modification_filter` | ||
| how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. | ||
| known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1200/ | ||
| - https://www.cisa.gov/news-events/news/using-caution-usb-drives | ||
| - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$dest$" | ||
| search: '%original_detection_search% | search dest = "$dest$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$dest$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: Investigate USB events on $dest$ | ||
| search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ | ||
| risk_objects: | ||
| - field: dest | ||
| type: system | ||
| score: 10 | ||
| threat_objects: | ||
| - field: object_name | ||
| type: registry_value_name | ||
| - field: object_handle | ||
| type: registry_value_text | ||
| tags: | ||
| analytic_story: | ||
| - Data Protection | ||
| asset_type: Endpoint | ||
| mitre_attack_id: | ||
| - T1200 | ||
| - T1025 | ||
| - T1091 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |
67 changes: 67 additions & 0 deletions
67
detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| name: Windows WPDBusEnum Registry Key Modification | ||
| id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Steven Dick | ||
| status: production | ||
| type: Anomaly | ||
| description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. | ||
| data_source: | ||
| - Sysmon Event ID 12 | ||
| - Sysmon Event ID 13 | ||
| search: |- | ||
| | tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data | ||
| | `drop_dm_object_name(Registry)` | ||
| | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `windows_wpdbusenum_registry_key_modification_filter` | ||
| how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. | ||
| known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1200/ | ||
| - https://www.cisa.gov/news-events/news/using-caution-usb-drives | ||
| - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$dest$" | ||
| search: '%original_detection_search% | search dest = "$dest$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$dest$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: Investigate USB events on $dest$ | ||
| search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ | ||
| risk_objects: | ||
| - field: dest | ||
| type: system | ||
| score: 10 | ||
| threat_objects: | ||
| - field: object_name | ||
| type: registry_value_name | ||
| - field: object_handle | ||
| type: registry_value_text | ||
| tags: | ||
| analytic_story: | ||
| - Data Protection | ||
| asset_type: Endpoint | ||
| mitre_attack_id: | ||
| - T1200 | ||
| - T1025 | ||
| - T1091 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: XmlWinEventLog |