Hackers will use any method to gain access to a system, even if this means dropping a USB stick on the floor.
Now I know what you’re thinking…no-one is that stupid to plug in a USB stick they “found” into their computer….
Well you’ll be surprised…. a couple of years ago there was a study at the University of Illinois, they dropped over 200 USB sticks with the capability of phoning home when you plugged them in.
Out of the 200 odd USB sticks over 45% of them were plugged in….INSANE!
In this 2 Part Blog Series, I would like to demonstrate how I used Azure Sentinel to proactively hunt for malicious activity from removable storage, more specifically a USB and if any code was executed after insertion on that machine.
Following this blog post will help you combat the injection of code from a USB device.
This blog post will run through how I used Azure Sentinel to Collect data on the insertion of the USB device, Detect if the USB is threat, Investigate the threat and actions it produced and finally how we Respond to the threat.
Below are some basic prereqs, some essential, some not essential, but overall I would say these are all essential moving forward:
- Azure Experience (essential)
- IT Security Experience (essential)
- Basic Digital Forensics (not essential)
- Log Analytics (essential)
- Azure Sentinel (essential)
- A Physical Asset (essential)
Enough waffle, I’m going to dive straight in…
Firstly we need to deploy the Sentinel/Log Analytics Workspace agent to our demo machine, find your Log Analytics Workspace ID & Key located in “Advanced Settings”
Download the agent onto your machine and input the Workspace ID and Primary Key
Once connected it, you should see it appear in the Virtual Machines Workspace Data Sources.
Suggested long term goal would be to deploy the agent via SCCM, PowerShell or Azure Automation
Now we’ve got our machine reporting to our Workspace we need to configure a few more bits.
We now need to configure data collection for that specific event log, which can be found in “Data”
Type “Microsoft-Windows-DriverFrameworks-UserMode/Operational” – then tick Error, Warning & Information and click Save.
For us to be able to gain insight into our log analytics from our demo machine, we must enable the Operational Log inside the Event Viewer on the demo machine as well, which we just installed the agent on, this will start capturing USB flash drive related events.
This can be located here “event viewer” Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational
Suggested long term goal would be to implement this via Group Policy.
When you connect a USB flash drive to your system it will create a number of operational events, I’ve already done my due diligence and found the event ID’s which we will need for our digital forensic investigation, which are:
I will now plug in my USB device on my demo machine, you’ll see the event viewer is now capturing the logs, NOTE the Date and Time….this will give you visibility into how quick it gets detected in Azure Sentinel.
If we jump over to the Azure portal and click ‘Hunting’ in the Sentinel blade, we can add a new query to return the results we’re after.
Event | where EventID in (2003, 2004, 2006, 2010, 2100, 2101, 2105, 2106) | order by TimeGenerated desc
Paste in the above query and click Create. This will now create us our very own custom Hunting rule.
Once created, click “Run Query”
After literally seconds you’ll see that Sentinel has now collected that data, which we can now analyse.
If you drill down into one of the results, you can see all the data it’s collected, the deeper you dive it will show you what type of device it is.
It’s a USB, it shows my Laptop Name, you can see It’s a Kingston USB Device, it’s classed as an Event Level 4 which is informational and there’s more data to go analyze.
So this is great, so far we’ve got our Machine reporting to Sentinel, we plugged in a USB and it’s recognizing the data in near real-time!!!
Now if we click one of the results we can Bookmark this for further investigation which we will use in our Part 2.
In Part 2 of this blog series, I’ll continue with the same methodology but actually using a malicious USB Device, which will launch some malicious code once it’s inserted.
#alwayssecurity #alwaysready #alwayscloud #alwaysazureFollow @CraigCloudITPro