First Time Seen Removable Device Registry Modification

This detection identifies the first-time appearance of removable devices on a Windows system by monitoring registry modifications. While not inherently malicious, the activity can indicate potential data exfiltration over removable media or initial access attempts using malware delivered via USB. The rule specifically looks for registry events with the “FriendlyName” value associated with USB storage devices (“USBSTOR”). This helps in identifying potentially unauthorized devices connected to the system. The detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

1. A user connects a removable device (e.g., USB drive) to a Windows system.
2. The operating system detects the new device and attempts to enumerate its properties.
3. The system queries the registry for device-specific settings, including the “FriendlyName,” under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR key.
4. If the device is new to the system, the registry is modified to record the device’s information, including its friendly name.
5. The event generates a registry modification event, which is logged by Sysmon, Elastic Defend, Microsoft Defender XDR, or SentinelOne.
6. An attacker may use the USB device to deploy malware or exfiltrate sensitive data.
7. The attacker copies files to the USB device.
8. The attacker removes the USB device, completing the exfiltration.

Impact

Successful exploitation and data exfiltration via USB can lead to the loss of sensitive information, intellectual property theft, or the introduction of malware into the network. Although this alert is low severity, multiple alerts across the environment may indicate an active campaign. The detection focuses on registry modifications, which are early indicators of device connection, allowing for proactive monitoring and response.

Recommendation

• Enable Sysmon registry event logging to detect registry modifications related to USB devices and activate the Sigma rules below.
• Deploy the Sigma rules provided to your SIEM to detect and monitor first-time seen USB devices.
• Investigate any alerts generated by the Sigma rules, correlating with user activity and file access events.
• Maintain a list of approved USB devices and create exceptions for them in the monitoring system to reduce false positives as described in the rule documentation.
• Monitor for subsequent file access or transfer events involving the new device as described in the rule documentation.