SOLVED

USB events

Brass Contributor

Hi all,

 

Random question...

 

As part of a security training exercise, I want to use a third-party tool to create USB drives with trackable files to test whether users take them to IT to be scanned as per policy, or whether curiosity gets them better of them and they plug it in to their laptops.

 

The files on the USB are trackable when opened at work, but when I tested them it wasn't able to tell me what account etc., nor could it tell me much if the file was opened away from the office.

 

I know that Windows 10 logs USB events, but does anyone know or have the ability to create a KQL query in Microsoft 365 Defender to search for specific events involving specific USBs to identify which user did it? 

 

And what identifiers I would need from the USB drive etc.?

 

Or whether I would be better to create a file search/alert policy to scan for the particular unique filename(s) using KQL, or in MCAS instead? 

2 Replies
best response confirmed by GI472 (Brass Contributor)
Solution

Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

I did a kql, but here at the company the usb is blocked and it doesn't work

kql takes the AdditionalField column and filters on everything that is removable.

DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"



if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer

Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

So I found another resource:

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/Files%2...

and by changing a few things, I now I have this:

DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| order by MountTime desc

This will search on any USB mounts in the last 24hrs and project certain fields from the AdditionalFields column.

To make it specific for my uses, I have added some properties of the specific USB device I am searching on, e.g.;

DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project
MountTime=Timestamp,
DeviceName,
SerialNumber=ParsedFields.SerialNumber,
InitiatingProcessAccountName,
LoggedOnUsers=ParsedFields.LoggedOnUsers,
DriveLetter=ParsedFields.DriveLetter,
ProductName=ParsedFields.ProductName,
Manufacturer=ParsedFields.Manufacturer,
Volume=ParsedFields.Volume,
ReportId,
AdditionalFields
| where MountTime >= ago(24h)
| where
(
SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
or SerialNumber contains "ENTER YOUR DETAILS HERE"
or Volume contains "ENTER YOUR DETAILS HERE"
)
| order by MountTime desc

To get those details, I had to plug in a load of test USBs and run the first query and pull out the serial numbers and volume details. Annoyingly, not all of the USBs I tried had a serial number returned, so there was quite a lot of trial and error.
1 best response

Accepted Solutions
best response confirmed by GI472 (Brass Contributor)
Solution

Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

I did a kql, but here at the company the usb is blocked and it doesn't work

kql takes the AdditionalField column and filters on everything that is removable.

DeviceEvents
|extend details = todynamic(AdditionalFields)
|mv-expand usb= details.IsOnRemovableMedia
| where tostring(usb) contains "true"



if you liked it mark the answer with a like.
if you thought this answer helped in any way please mark it as best answer

Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

View solution in original post