detection.wiki

Detection rules › Splunk

Windows Process Executed From Removable Media

Author
Steven Dick
Source
upstream

This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1091 Replication Through Removable Media, T1200 Hardware Additions
Lateral MovementT1091 Replication Through Removable Media
CollectionT1025 Data from Removable Media

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE NOT Processes.process_current_directory IN ("*\\sysvol\\*", "C:\\*") Processes.process_current_directory="*" BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product, Processes.process_current_directory

Stage 2: search

search

Stage 3: rex

rex field=process_current_directory ...

Stage 4: where

where isnotnull(object_handle)

Stage 5: search

search

Stage 6: search

search

Stage 7: join

join type=inner (...)

Stage 8: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1CurrentDirectoryin"*\\sysvol\\*", "C:\\*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Processes.process_current_directoryeq
  • *
Registry.registry_patheq
  • "*USBSTOR*" corpus 2 (splunk 2)
Registry.registry_pathin
  • "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*" corpus 2 (splunk 2)
  • "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*" corpus 2 (splunk 2)
Registry.registry_value_dataeq
  • "*:\\*"