Forum Discussion
GI472
Jul 03, 2023Brass Contributor
USB events
Hi all,
Random question...
As part of a security training exercise, I want to use a third-party tool to create USB drives with trackable files to test whether users take them to IT to be scanned as per policy, or whether curiosity gets them better of them and they plug it in to their laptops.
The files on the USB are trackable when opened at work, but when I tested them it wasn't able to tell me what account etc., nor could it tell me much if the file was opened away from the office.
I know that Windows 10 logs USB events, but does anyone know or have the ability to create a KQL query in Microsoft 365 Defender to search for specific events involving specific USBs to identify which user did it?
And what identifiers I would need from the USB drive etc.?
Or whether I would be better to create a file search/alert policy to scan for the particular unique filename(s) using KQL, or in MCAS instead?
Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.
I did a kql, but here at the company the usb is blocked and it doesn't work
kql takes the AdditionalField column and filters on everything that is removable.
DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"
if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer
Follow me: https://www.linkedin.com/in/raphael-custodio-soares/
- raphaelcustodiosoaresIron Contributor
Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.
I did a kql, but here at the company the usb is blocked and it doesn't work
kql takes the AdditionalField column and filters on everything that is removable.
DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"
if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer
Follow me: https://www.linkedin.com/in/raphael-custodio-soares/- GI472Brass ContributorSo I found another resource:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/Files%20copied%20to%20USB%20drives.md
and by changing a few things, I now I have this:
DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| order by MountTime desc
This will search on any USB mounts in the last 24hrs and project certain fields from the AdditionalFields column.
To make it specific for my uses, I have added some properties of the specific USB device I am searching on, e.g.;
DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| where
(
SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
or SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
)
| order by MountTime desc
To get those details, I had to plug in a load of test USBs and run the first query and pull out the serial numbers and volume details. Annoyingly, not all of the USBs I tried had a serial number returned, so there was quite a lot of trial and error.