Detection rules › Splunk
Windows USBSTOR Registry Key Modification
This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1091 Replication Through Removable Media, T1200 Hardware Additions |
| Lateral Movement | T1091 Replication Through Removable Media |
| Collection | T1025 Data from Removable Media |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 12 | RegistryEvent (Object create and delete) |
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*" Registry.registry_value_name="FriendlyName" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: eval
eval ... using (registry_path, registry_value_data)
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | in |
|
Registry.registry_value_name | eq |
|