First Time USB Usage

Description

Find systems the first time they generate Windows Event ID 20001, which for some customers occurs when a USB drive is plugged in.


Use Case

Insider Threat

Category

Data Exfiltration

Security Impact

USB is a common attack vector for many different kinds of malicious deliverables. Your corporation may have a policy of not allowing removable media at all, or may only allow approved media to be used. By Splunking USB activity from Windows and other endpoints using the Universal Forwarder, we can get a feeling for what systems might be vulnerable to attack, or what users might need a security training refresher. This example demonstrates that if we have the USB usage data in Splunk, we can determine the first time a “new device” is used on an endpoint. This activity might result in an alert or a notable event so that security personnel can conduct follow-up.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Lateral Movement
Collection
Exfiltration

MITRE ATT&CK Techniques

Replication Through Removable Media
Data from Removable Media
Exfiltration Over Physical Medium

MITRE Threat Groups

APT28
Darkhotel
Gamaredon Group
Machete
Turla

Kill Chain Phases

Delivery

Data Sources

DLP
Endpoint Detection and Response

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted. For this example this is tricky, since in our testing some systems generate system EventCode 20001 when a USB drive is plugged in, and others do not, and it is not clear why. You may wish to switch the base dataset here with endpoint DLP if available, as it would more reliably track USB key usage.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This will obviously fire any time there is a USB key inserted for the first time, which is not an explicit indicator of suspicious activities. Instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and identify the physical location of the system. Determine the system owner and inform them of this action. Work with the system owner to determine next steps or note that this is authorized and by whom. USB insertions that are unauthorized could be used as a mechanism to infect a machine.

   Help

First Time USB Usage Help

This example leverages the Detect New Values search assistant. Our dataset is an anonymized collection of Windows Event ID 20001 logs, which correlated on that system with when USB drives were used. (You may also get value from using endpoint DLP, etc -- we have also seen at a larger customer where their Splunk installation did not have 20001 logs showing up). For this analysis, we are looking at the first time that Event ID is showing up from that system and alerting if that was in the last day.

SPL for First Time USB Usage

Demo Data

First we pull in our demo dataset.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

Here we start with our basic dataset of Windows System Logs, filtered for EventCode 20001 which shows up in some (but not all) systems for USB drive insertion. Notably, this technique of doing the value and then the field=value can bypass some quirks around field extractions, and make searches faster for very large datasets (though that's an area of active work, and it's less true every year).
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Accelerated Data

Here, tstats is pulling in one command a super-fast count per system, per day of EventCode 20001 which shows up in some (but not all) systems for USB drive insertion.
It is usually easiest to work with data model acceleration after we've renamed the fields to something a little friendlier.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.