Forum Discussion

GI472's avatar
GI472
Brass Contributor
Jul 03, 2023

USB events

Hi all,

 

Random question...

 

As part of a security training exercise, I want to use a third-party tool to create USB drives with trackable files to test whether users take them to IT to be scanned as per policy, or whether curiosity gets them better of them and they plug it in to their laptops.

 

The files on the USB are trackable when opened at work, but when I tested them it wasn't able to tell me what account etc., nor could it tell me much if the file was opened away from the office.

 

I know that Windows 10 logs USB events, but does anyone know or have the ability to create a KQL query in Microsoft 365 Defender to search for specific events involving specific USBs to identify which user did it? 

 

And what identifiers I would need from the USB drive etc.?

 

Or whether I would be better to create a file search/alert policy to scan for the particular unique filename(s) using KQL, or in MCAS instead? 

  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Aug 03, 2023

    Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

    I did a kql, but here at the company the usb is blocked and it doesn't work

    kql takes the AdditionalField column and filters on everything that is removable.

    DeviceEvents
    |extend details = todynamic(AdditionalFields)
    |mv-expand usb= details.IsOnRemovableMedia
    | where tostring(usb) contains "true"



    if you liked it mark the answer with a like.
    if you thought this answer helped in any way please mark it as best answer

    Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Iron Contributor
    Aug 03, 2023

    Hello, unfortunately I searched for some things and found only a few things about usb mounting that you can see in the defender reports.

    I did a kql, but here at the company the usb is blocked and it doesn't work

    kql takes the AdditionalField column and filters on everything that is removable.

    DeviceEvents
    |extend details = todynamic(AdditionalFields)
    |mv-expand usb= details.IsOnRemovableMedia
    | where tostring(usb) contains "true"



    if you liked it mark the answer with a like.
    if you thought this answer helped in any way please mark it as best answer

    Follow me: https://www.linkedin.com/in/raphael-custodio-soares/

    • GI472's avatar
      GI472
      Brass Contributor
      Sep 11, 2023
      So I found another resource:

      https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/Files%20copied%20to%20USB%20drives.md

      and by changing a few things, I now I have this:

      DeviceEvents
      | where ActionType=="UsbDriveMounted"
      | extend ParsedFields=parse_json(AdditionalFields)
      | project
      MountTime=Timestamp,
      DeviceName,
      SerialNumber=ParsedFields.SerialNumber,
      InitiatingProcessAccountName,
      LoggedOnUsers=ParsedFields.LoggedOnUsers,
      DriveLetter=ParsedFields.DriveLetter,
      ProductName=ParsedFields.ProductName,
      Manufacturer=ParsedFields.Manufacturer,
      Volume=ParsedFields.Volume,
      ReportId,
      AdditionalFields
      | where MountTime >= ago(24h)
      | order by MountTime desc

      This will search on any USB mounts in the last 24hrs and project certain fields from the AdditionalFields column.

      To make it specific for my uses, I have added some properties of the specific USB device I am searching on, e.g.;

      DeviceEvents
      | where ActionType=="UsbDriveMounted"
      | extend ParsedFields=parse_json(AdditionalFields)
      | project
      MountTime=Timestamp,
      DeviceName,
      SerialNumber=ParsedFields.SerialNumber,
      InitiatingProcessAccountName,
      LoggedOnUsers=ParsedFields.LoggedOnUsers,
      DriveLetter=ParsedFields.DriveLetter,
      ProductName=ParsedFields.ProductName,
      Manufacturer=ParsedFields.Manufacturer,
      Volume=ParsedFields.Volume,
      ReportId,
      AdditionalFields
      | where MountTime >= ago(24h)
      | where
      (
      SerialNumber contains "ENTER YOUR DETAILS HERE"
      or Volume contains "ENTER YOUR DETAILS HERE"
      or SerialNumber contains "ENTER YOUR DETAILS HERE"
      or Volume contains "ENTER YOUR DETAILS HERE"
      )
      | order by MountTime desc

      To get those details, I had to plug in a load of test USBs and run the first query and pull out the serial numbers and volume details. Annoyingly, not all of the USBs I tried had a serial number returned, so there was quite a lot of trial and error.

Share