detection.wiki

Detection rules › Splunk

Windows WPDBusEnum Registry Key Modification

Author
Steven Dick
Source
upstream

This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1091 Replication Through Removable Media, T1200 Hardware Additions
Lateral MovementT1091 Replication Through Removable Media
CollectionT1025 Data from Removable Media

Event coverage

ProviderEvent IDTitle
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE Registry.registry_path="*USBSTOR*" Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*", "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") Registry.registry_value_name="FriendlyName" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: eval

eval ... using (registry_path, registry_value_data)

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Registry.registry_patheq
  • "*USBSTOR*" corpus 2 (splunk 2)
Registry.registry_pathin
  • "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*" corpus 2 (splunk 2)
  • "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*" corpus 2 (splunk 2)
Registry.registry_value_nameeq
  • "FriendlyName" corpus 2 (splunk 2)