Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Advanced hunting updates: USB events, machine-level actions, and schema changes
Published Aug 27 2019 01:29 AM 41.6K Views
Microsoft

Hello there, hunters! I’d like to share some of the work we’ve recently completed for advanced hunting on Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).


We’ve added some exciting new events as well as new options for automated response actions based on your custom detections. We also have some changes to the schema—changes that will allow advanced hunting to scale and accommodate even more events and information types.
Keep on reading for the juicy details.


Find threat activity involving USB devices
We’ve added support for the following new action types in the MiscEvent table, so you can find events related to mounting and unmounting of USB drives as well as setting of drive letters:

  • UsbDriveMount
  • UsbDriveUnmount
  • UsbDriveDriveLetterChanged

Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. Each of these action types include relevant contextual information, such as:

  • Drive letter
  • Bus type
  • Product name of the device
  • Product revision
  • Serial number
  • Manufacturer
  • Volume

Please keep in mind these events are available only for RS6 machines.

 

More automated responses to custom detections
Have you ever wanted to automatically isolate a machine or run an antivirus scan in response to a custom detection?


In addition to the current file-level actions, we just added support for a set of machine-level actions that can be taken automatically if a custom detection is triggered. You can now specify these actions when you create custom detection rules, or you can add them to your existing rules:

 

  • Isolate machine (new)
  • Collect investigation package (new)
  • Run antivirus scan (new)
  • Initiate investigation (new)
  • Allow / Block items by adding them to the indicator list
  • Quarantine file

Let’s try them out
Let’s use the new USB events to create a custom detection rule that also leverages the new set of machine-level response actions.

The goal of this custom detection is to identify potentially malicious attempts to copy Word and PowerPoint files to a newly attached USB storage device. Once this activity is found on any machine, that machine should be automatically isolated from the network to suppress future exfiltration activity.


Find possible exfiltration attempts via USB
The following query finds attempts to copy at least 10 distinct documents within 15 minutes to a newly attached USB storage device. The query finds USB drive mounting events and extracts the assigned drive letter for each drive. It then finds file creation events on each drive letter, which maps to a freshly mounted USB device.
Try running the query by pasting it into the advanced hunting query editor.

 

 

 

 

DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = Timestamp, DeviceId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| where FileName endswith ".docx" or FileName endswith ".pptx"
| parse FolderPath with DriveLetter '\\' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| where (Timestamp - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
| where DistinctFilesCopied > 10
| mv-expand Events
| extend Timestamp = todatetime(Events.Timestamp), FileName = Events.FileName, AccountName = Events.AccountName, ReportId = tolong(Events.ReportId), AdditionalDriveProperties = Events.AdditionalDriveProperties

 

 

 

 

clipboard_image_0.png


Running the query on advanced hunting

Create a custom detection rule from the query
If you ran the query successfully, create a new detection rule. Remember to select Isolate machine from the list of machine actions. This option automatically prevents machines with alerts from connecting to the network.

clipboard_image_1.png

Creating a custom detection rule with isolate machine as a response action


Schema naming changes and deprecated columns
In the following weeks, we plan to rename some tables and columns, allowing us to expand the naming convention and accommodate events from more sources. We are also deprecating a column that is rarely used and is not functioning optimally.

New “device” prefix in table names
We will broadly add a new prefix to the names of all tables that are populated using device-specific data. This will give way for other data sources.

 

Old table name

New table name

AlertEvents

AlertEvents (unchanged)

MachineInfo

DeviceInfo

MachineNetworkInfo

DeviceNetworkInfo

ProcessCreationEvents

DeviceProcessEvents

NetworkCommunicationEvents

DeviceNetworkEvents

FileCreationEvents

DeviceFileEvents

RegistryEvents

DeviceRegistryEvents

LogonEvents

DeviceLogonEvents

ImageLoadEvents

DeviceImageLoadEvents

MiscEvents

DeviceEvents

 


While the old table names are in use, these new table names are already functional (i.e., both sets of names are currently supported). In the upcoming weeks, when we start using the new names in the schema reference and documentation, the old names will continue to function. We do advise updating queries as soon as possible.

 

New column names
We are also renaming the following columns to ensure that their names remain meaningful when they are used across more tables.

 

Old column name

New column name

EventTime

Timestamp

MachineId

DeviceId

ComputerName

DeviceName

RegistryComputerTag

RegistryDeviceTag

RemoteComputerName

RemoteDeviceName

 

Deprecated column
The rarely used column IsWindowsInfoProtectionApplied in the FileCreationEvents table will no longer be supported starting September 1, 2019. Saved queries that reference this column will return an error, unless edited manually to remove the reference.
--------------
That is all for my update this time. As always, please share your thoughts with us in the comment section below or use the feedback smileys in Microsoft Defender Security Center.

26 Comments
Brass Contributor

Question,

I am not very proficient in this query language.  How would I modify the query to find exes that were launched from a usb drive?  I work for a school district and I am curious to see if students are able to launch programs that are not blocked by app locker.

Microsoft

Just switch the file creation events with the process event table and have the initating process path starts with the same letter as the drive letter. Let me know if you managed to make it work-

 

MiscEvents
| where EventTime > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = EventTime, MachineId, AdditionalFields, DriveLetter = tolower(tostring(todynamic(AdditionalFields).DriveLetter))
| join (
ProcessCreationEvents
| where EventTime > ago(1d)
| where ActionType == "ProcessCreated"
| project FileName, MachineId, DriveLetter = substring(InitiatingProcessFolderPath, 0,2), InitiatingProcessFolderPath
)
on MachineId, DriveLetter
Brass Contributor

Thanks, I will give it a go. I really appreciate your time and contributions!

Copper Contributor

Hi Daniel, thanks for your post. 

One question, can we block any usb except a one usb type? for example, block any USB except a sandisk USB model

Copper Contributor
Copper Contributor

Does this require a specific Windows version, or is back ported to earlier versions, including LTSB 1607?

 

Thanks

Microsoft

@Marco Schiffner These events are available only for RS6 machines. Backporting will be supported in the future.

Copper Contributor

@Daniel Naim What is the minimum build no. in RS6 machines that supports USB monitoring described in this article? We are having trouble finding it.

Copper Contributor

I am trying to create a query to identify documents being copied, created and modified on a USB thumb drive. However, I can only identify files renamed on a thumb drive and this is without no filters. Also, I don’t seem to have full visibility of other file types e.g. txt being created or modified on the local drive or external devices. What are the limitations of file visibility as I don’t believe it is my syntax.

Copper Contributor

@Daniel Naim we ran into an issue where WDATP would not detect files of smaller sizes. For example, it detected when we copied files over 100MB, but nothing in the KBs. Is it known issue? Could you pleased shed some light on this?

Microsoft

@aahmad365 this shouldn't be an issue, does it happen on the same machine? for the same file types?

Microsoft

Note that AlertEvents is also changing to DeviceAlertEvents.  Appears this changed since the blog went live @Daniel Naim 

Copper Contributor

@Daniel Naim we are not able to detect .txt files on some machines that are on 1903 and higher. We downloaded and copied those files to USB trying to get the action "File Created" triggered, but WDATP does not show them in advance hunting. Are there any known issues?

Microsoft

Not sure why it is not working, @aahmad365 can you please report this issue through the portal? the feedback tool on the top of the screen (smiley face) so we can have more details? thanks!

Copper Contributor

@Daniel Naim Attempting to make this a scheduled query, but I need to add timestamp and reportid, how would I add those without breaking the query? 

Copper Contributor

cyberbob did you get a query to work for what you posted? 

I am trying to create a query to identify documents being copied, created and modified on a USB thumb drive. However, I can only identify files renamed on a thumb drive and this is without no filters. Also, I don’t seem to have full visibility of other file types e.g. txt being created or modified on the local drive or external devices. What are the limitations of file visibility as I don’t believe it is my syntax.

Brass Contributor

@Daniel Naim are there any prerequisites for that query? like a specifics events that needs to be enabled in the the windows 10 events viewer (that aren't default)?

My devices are managed by Intune and AAD joined devices, I did some tests with your query and others I found on the web (connect and disconnect USB many times) but each time the query shows nothing, as if something else is missing in my configuration.

 

here's another query I tried , but still with no results:

// Find all “Mounted” storage activity within the past day
DeviceEvents
| where ActionType == "UsbDriveMount" and Timestamp > ago(100d)
| extend DriveLetter = parse_json(AdditionalFields).DriveLetter
| extend BusType = parse_json(AdditionalFields).BusType
| extend ProductName = parse_json(AdditionalFields).ProductName
| extend ProductRevision = parse_json(AdditionalFields).ProductRevision
| extend SerialNumber = parse_json(AdditionalFields).SerialNumber
| extend Manufacturer = parse_json(AdditionalFields).Manufacturer
| extend Volume = parse_json(AdditionalFields).Volume
| project DeviceName, DeviceId, Timestamp, DriveLetter, Manufacturer, ProductName, BusType, ProductRevision, SerialNumber, Volume
Microsoft

@giladkeidar The action type is 

UsbDriveMounted
 
Please use the schema reference to learn more about events audited and the AcitonTypes:
Brass Contributor

@Tali Ash In my query I use "UsbDriveMounted" but it returned no result, any idea?

Silver Contributor

Thank you , it is very valuable feature and in past we used to manage USB using Group Policies but moving to Cloud , managing USB devices have been a great challenge and with this feature, it will solve several concerns.

However, I hope add USB management policies inside the MEM, since not everyone using MD ATP.

Brass Contributor

@Reza_Ameri you can enforce USB restriction using MEM (as same as you u did with GPO), MDE is only for auditing and alerting (although you can use it for blocking as well, but I thing MEM is more applicable for that).

Silver Contributor

Thank you @giladkeidar for your input on this.

Microsoft

There are two actions for USB Mount, anyone know the difference? 

 

DeviceEvents
| distinct ActionType
| where ActionType contains "usb" and  ActionType contains 'mount'

 

 
Microsoft

@ChrisHamilton this refers to the usb device being plugged in and ejected, respectively.

Iron Contributor

I think this:

 

| where ActionType == "UsbDriveMount"

 

should be:

 

| where ActionType == "UsbDriveMounted"

 

Copper Contributor

Is there a reference anywhere for the added `BusType` field in `AdditionalItems`? I'd like to understand what they mean to see if I can use that info to isolate certain types of devices.

Version history
Last update:
‎Feb 16 2020 05:52 AM
Updated by: