Finding USB and Removable Media Detection

alice_waynecorp — Sun, 11 Sep 2016 22:49:23 GMT

I've recently had some Ransomware that I think came off of a users USB drive. I am worried he might have shared it with other people but he can't remember the name of the USB drive and now he lost it :-/. I found a search on http://gosplunk.com/ (see below) that I thought would work, but it doesn't find it for his Windows 10 machine. Anyone have any ideas? I am collecting most windows logs AND WinRegistry

sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*"  registry_type=CreateKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S"   | stats  count by Date, host, Vendor, Product, DeviceType   | fields  - count   | sort  - Date

Re: Finding USB and Removable Media Detection

rkovar_splunk — Mon, 12 Sep 2016 15:48:39 GMT

Hey Alice, I ran into the same problem before. The issue seems to be that Windows puts its USB insertion information in 17 different registry keys [1], so you can actually need to look multiple places. The search below is kind of a sledge hammer, but the "data" field I list out below tends to show the actual "USB" device name

"sourcetype=WinRegistry  "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\EMDMgmt\\" OR "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\" OR "HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\USB\\VID_111D&PID_0000\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\WpdBusEnumRoot\\UMB\\" OR "HKLM\\SYSTEM\\ControlSet002\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\USB\\VID_111D&PID_0000" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\WpdBusEnumRoot\\UMB\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB\\VID_111D&PID_0000\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ CurrentControlSet\\Enum\\WpdBusEnumRoot\\UMB" | stats count by data"

[1] http://www.forensicmag.com/article/2012/08/windows-7-registry-forensics-part-6

topic Finding USB and Removable Media Detection in Splunk Search

Finding USB and Removable Media Detection

Re: Finding USB and Removable Media Detection