Forum Discussion
Threat hunting help
I'm hoping someone can help me here. I'm using the below very common queries to find USB activity. It finds FildCreated, FileModified, FileRenamed and FileDeleted. What I don't seem to able to find is file reads. i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB.
Anyone know how to find a file read from USB?
- micheleariisSteel Contributor
lfk73 Hi, to detect reading files from a USB device (for example, when someone double-clicks a file and opens it), common events like FileCreated, FileModified, FileRenamed, or FileDeleted are not sufficient, as they focus on write operations or edit. Reading a file (which includes only accessing it without modification) does not generate one of these events.
You could use this Approach to detect file reads:
File access events:
Windows Event IDs 4656 and 4663 may be helpful:
4656 logs request for a handle for a file.
4663 logs an attempt to access a file.
The filter to apply concerns the AccessMask, which for read operations is 0x1.
Sysmon Event ID 11:
This event is logged every time a file is opened for reading, even if it is not modified.
You can monitor these events and correlate the file path with the drive letters of USB devices.File access audit:
You can enable object access auditing (in Group Policy) to monitor read operations on files by setting auditing for the "Success" of read operations.