USB Device Plugged

Severity: low
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects plugged/unplugged USB devices

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1200` Hardware Additions

Event coverage

Provider	Event ID	Title
DriverFrameworks-UserMode	2003	The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.
DriverFrameworks-UserMode	2100	Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.
DriverFrameworks-UserMode	2102	Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with sta...

Stages and Predicates

Stage 1: `selection`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Windows Firewall Settings Have Been Changed [sigma]