Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Oct 17, 2024

Threat hunting help

I'm hoping someone can help me here.  I'm using the below very common queries to find USB activity.  It finds FildCreated, FileModified, FileRenamed and FileDeleted.  What I don't seem to able to find is file reads.  i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB.

 

Anyone know how to find a file read from USB?

 

 

let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices.
let TimespanInSeconds = 900; // Period of time between device insertion and file copy
let Connections =
DeviceEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)
| where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device';
DeviceFileEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\"
| join kind=inner Connections on DeviceId
| where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds
  • micheleariis's avatar
    micheleariis
    Steel Contributor

    lfk73 Hi, to detect reading files from a USB device (for example, when someone double-clicks a file and opens it), common events like FileCreated, FileModified, FileRenamed, or FileDeleted are not sufficient, as they focus on write operations or edit. Reading a file (which includes only accessing it without modification) does not generate one of these events.

    You could use this Approach to detect file reads:

    File access events:

    Windows Event IDs 4656 and 4663 may be helpful:

    4656 logs request for a handle for a file.

    4663 logs an attempt to access a file.

    The filter to apply concerns the AccessMask, which for read operations is 0x1.

    Sysmon Event ID 11:

    This event is logged every time a file is opened for reading, even if it is not modified.
    You can monitor these events and correlate the file path with the drive letters of USB devices.

    File access audit:

    You can enable object access auditing (in Group Policy) to monitor read operations on files by setting auditing for the "Success" of read operations.

Resources