Files Copied to USB Drives
| Id | 3ab04acf-e0e7-4f7c-8995-748ab4c848c2 |
| Rulename | Files Copied to USB Drives |
| Description | This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1041 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml |
| Version | 1.0.0 |
| Arm template | 3ab04acf-e0e7-4f7c-8995-748ab4c848c2.json |
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, TimeGenerated desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where TimeGenerated >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, TimeGenerated desc
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
| extend FileHashAlgorithm = 'SHA256'
severity: High
relevantTechniques:
- T1041
queryFrequency: 1h
kind: Scheduled
version: 1.0.0
name: Files Copied to USB Drives
triggerOperator: gt
description: |
This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
queryPeriod: 1h
query: |
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, TimeGenerated desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where TimeGenerated >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, TimeGenerated desc
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
| extend FileHashAlgorithm = 'SHA256'
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- entityType: File
fieldMappings:
- columnName: FileName
identifier: Name
- columnName: FolderPath
identifier: Directory
- entityType: FileHash
fieldMappings:
- columnName: FileHashAlgorithm
identifier: Algorithm
- columnName: SHA256
identifier: Value
tactics:
- Exfiltration
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml
id: 3ab04acf-e0e7-4f7c-8995-748ab4c848c2
requiredDataConnectors:
- dataTypes:
- DeviceEvents
- DeviceFileEvents
connectorId: MicrosoftThreatProtection
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3ab04acf-e0e7-4f7c-8995-748ab4c848c2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3ab04acf-e0e7-4f7c-8995-748ab4c848c2')]",
"properties": {
"alertRuleTemplateName": "3ab04acf-e0e7-4f7c-8995-748ab4c848c2",
"customDetails": null,
"description": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.\n",
"displayName": "Files Copied to USB Drives",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileName",
"identifier": "Name"
},
{
"columnName": "FolderPath",
"identifier": "Directory"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "FileHashAlgorithm",
"identifier": "Algorithm"
},
{
"columnName": "SHA256",
"identifier": "Value"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml",
"query": "let UsbDriveMount = DeviceEvents\n| where ActionType==\"UsbDriveMounted\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated,\nProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer\n| order by DeviceId asc, MountTime desc;\nlet FileCreation = DeviceFileEvents\n| where InitiatingProcessAccountName != \"system\"\n| where ActionType == \"FileCreated\"\n| where FolderPath !startswith \"C:\\\\\"\n| where FolderPath !startswith \"\\\\\"\n| project ReportId,DeviceId,InitiatingProcessAccountDomain,\nInitiatingProcessAccountName,InitiatingProcessAccountUpn,\nFileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied\n| order by DeviceId asc, TimeGenerated desc;\nFileCreation | lookup kind=inner (UsbDriveMount) on DeviceId\n| where FolderPath startswith DriveLetter\n| where TimeGenerated >= MountTime\n| partition hint.strategy=native by ReportId ( top 1 by MountTime )\n| order by DeviceId asc, TimeGenerated desc\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n| extend FileHashAlgorithm = 'SHA256'\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration"
],
"techniques": [
"T1041"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}