Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding USB and Removable Media Detection

alice_waynecorp
New Member
‎09-11-2016 03:49 PM

I've recently had some Ransomware that I think came off of a users USB drive. I am worried he might have shared it with other people but he can't remember the name of the USB drive and now he lost it :-/. I found a search on http://gosplunk.com/ (see below) that I thought would work, but it doesn't find it for his Windows 10 machine. Anyone have any ideas? I am collecting most windows logs AND WinRegistry

sourcetype=WinRegistry key_path="HKLM\\system\\controlset*\\enum\\usbstor\\*"  registry_type=CreateKey | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rex "key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S"   | stats  count by Date, host, Vendor, Product, DeviceType   | fields  - count   | sort  - Date
Tags (1)
0 Karma
Reply

rkovar_splunk
Splunk Employee
Splunk Employee
‎09-12-2016 08:48 AM

Hey Alice, I ran into the same problem before. The issue seems to be that Windows puts its USB insertion information in 17 different registry keys [1], so you can actually need to look multiple places. The search below is kind of a sledge hammer, but the "data" field I list out below tends to show the actual "USB" device name

"sourcetype=WinRegistry  "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\EMDMgmt\\" OR "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\" OR "HKLM\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\USB\\VID_111D&PID_0000\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ControlSet001\\Enum\\WpdBusEnumRoot\\UMB\\" OR "HKLM\\SYSTEM\\ControlSet002\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\USB\\VID_111D&PID_0000" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ControlSet002\\Enum\\WpdBusEnumRoot\\UMB\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\STORAGE\\Volume\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB\\VID_111D&PID_0000\\" OR "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\" OR "HKLM\\SYSTEM\\ CurrentControlSet\\Enum\\WpdBusEnumRoot\\UMB" | stats count by data"

[1] http://www.forensicmag.com/article/2012/08/windows-7-registry-forensics-part-6

Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...