Forum Discussion

GI472's avatar
GI472
Brass Contributor
Jul 02, 2023
Solved

USB events

Hi all,   Random question...   As part of a security training exercise, I want to use a third-party tool to create USB drives with trackable files to test whether users take them to IT to be scan...
  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Aug 03, 2023

    Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

    I did a kql, but here at the company the usb is blocked and it doesn't work

    kql takes the AdditionalField column and filters on everything that is removable.

    DeviceEvents
    |extend details = todynamic(AdditionalFields)
    |mv-expand usb= details.IsOnRemovableMedia
    | where tostring(usb) contains "true"



    if you liked it mark the answer with a like.
    if you thought this answer helped in any way please mark it as best answer

    Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

raphaelcustodiosoares's avatar
raphaelcustodiosoares
Iron Contributor
Aug 03, 2023

Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

I did a kql, but here at the company the usb is blocked and it doesn't work

kql takes the AdditionalField column and filters on everything that is removable.

DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"



if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer

Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

GI472's avatar
GI472
Brass Contributor
Sep 10, 2023
So I found another resource:

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/Files%20copied%20to%20USB%20drives.md

and by changing a few things, I now I have this:

DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| order by MountTime desc

This will search on any USB mounts in the last 24hrs and project certain fields from the AdditionalFields column.

To make it specific for my uses, I have added some properties of the specific USB device I am searching on, e.g.;

DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| where
(
SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
or SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
)
| order by MountTime desc

To get those details, I had to plug in a load of test USBs and run the first query and pull out the serial numbers and volume details. Annoyingly, not all of the USBs I tried had a serial number returned, so there was quite a lot of trial and error.