Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Updating to use the new UsbDriveMounted events #350

Open
mjmelone wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updating to use the new UsbDriveMounted events #350

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 13 additions & 14 deletions Exfiltration/Possible File Copy to USB Drive.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,25 @@
# Possible File Copy to USB Drive

This query searches for file copies which occur within a period of time (by default 15 min) to volumes other than the C drive or UNC shares. By default, this query will
search all devices. A single device can be specified by entering the DeviceName in the DeviceNameToSearch variable. Additionally, to change the period of time from when
the USB device was inserted, adjust the TimespanInSeconds value.
This query searches for file copies which occur within a period of time (by default 15 min) to volumes associated with USB drives. To change the period of time from when
the USB device was inserted, adjust the Tolerance value.

Happy hunting!

## Query

```
let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices.
let TimespanInSeconds = 900; // Period of time between device insertion and file copy
let Connections =
let Tolerance = 1h;
DeviceEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)
| where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device';
DeviceFileEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\"
| join kind=inner Connections on DeviceId
| where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds
| where ActionType == "UsbDriveMounted"
| extend AdditionalFields = parse_json(AdditionalFields)
| evaluate bag_unpack(AdditionalFields)
| project UsbSessionStart = Timestamp, DeviceId, ActionType, tostring(DriveLetter), tostring(Manufacturer), tostring(ProductName), tostring(ProductRevision), tostring(SerialNumber), tostring(Volume), DriveId = hash_sha256(strcat(Manufacturer,ProductName,ProductRevision,SerialNumber)), UsbSessionEnd = Timestamp + Tolerance
| where isnotempty( DriveLetter)
| join kind=inner (
DeviceFileEvents
| where FolderPath !startswith 'c:' and FolderPath !startswith @'\'
) on DeviceId
| where Timestamp between (UsbSessionStart .. UsbSessionEnd) and FolderPath startswith DriveLetter
```

## Category
Expand Down