Forum Discussion

GI472's avatar
GI472
Brass Contributor
Jul 02, 2023
Solved

USB events

Hi all,   Random question...   As part of a security training exercise, I want to use a third-party tool to create USB drives with trackable files to test whether users take them to IT to be scan...
  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Aug 03, 2023

    Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

    I did a kql, but here at the company the usb is blocked and it doesn't work

    kql takes the AdditionalField column and filters on everything that is removable.

    DeviceEvents
    |extend details = todynamic(AdditionalFields)
    |mv-expand usb= details.IsOnRemovableMedia
    | where tostring(usb) contains "true"



    if you liked it mark the answer with a like.
    if you thought this answer helped in any way please mark it as best answer

    Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

raphaelcustodiosoares's avatar
raphaelcustodiosoares
Iron Contributor
Aug 03, 2023

Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

I did a kql, but here at the company the usb is blocked and it doesn't work

kql takes the AdditionalField column and filters on everything that is removable.

DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"



if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer

Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

  • GI472's avatar
    GI472
    Brass Contributor
    Sep 10, 2023
    So I found another resource:

    https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/Files%20copied%20to%20USB%20drives.md

    and by changing a few things, I now I have this:

    DeviceEvents
    | where ActionType=="UsbDriveMounted"
    | extend ParsedFields=parse_json(AdditionalFields)
    | project
    MountTime=Timestamp,
    DeviceName,
    SerialNumber=ParsedFields.SerialNumber,
    InitiatingProcessAccountName,
    LoggedOnUsers=ParsedFields.LoggedOnUsers,
    DriveLetter=ParsedFields.DriveLetter,
    ProductName=ParsedFields.ProductName,
    Manufacturer=ParsedFields.Manufacturer,
    Volume=ParsedFields.Volume,
    ReportId,
    AdditionalFields
    | where MountTime >= ago(24h)
    | order by MountTime desc

    This will search on any USB mounts in the last 24hrs and project certain fields from the AdditionalFields column.

    To make it specific for my uses, I have added some properties of the specific USB device I am searching on, e.g.;

    DeviceEvents
    | where ActionType=="UsbDriveMounted"
    | extend ParsedFields=parse_json(AdditionalFields)
    | project
    MountTime=Timestamp,
    DeviceName,
    SerialNumber=ParsedFields.SerialNumber,
    InitiatingProcessAccountName,
    LoggedOnUsers=ParsedFields.LoggedOnUsers,
    DriveLetter=ParsedFields.DriveLetter,
    ProductName=ParsedFields.ProductName,
    Manufacturer=ParsedFields.Manufacturer,
    Volume=ParsedFields.Volume,
    ReportId,
    AdditionalFields
    | where MountTime >= ago(24h)
    | where
    (
    SerialNumber contains "ENTER YOUR DETAILS HERE"
    or Volume contains "ENTER YOUR DETAILS HERE"
    or SerialNumber contains "ENTER YOUR DETAILS HERE"
    or Volume contains "ENTER YOUR DETAILS HERE"
    )
    | order by MountTime desc

    To get those details, I had to plug in a load of test USBs and run the first query and pull out the serial numbers and volume details. Annoyingly, not all of the USBs I tried had a serial number returned, so there was quite a lot of trial and error.