Hunting USB Devices with Azure Sentinel: Part 1

Hackers will use any method to gain access to a system, even if this means dropping a USB stick on the floor. Now I know what you’re thinki; there’s no way someone would plug in a USB stick they “found” into their computer, but unfortunately they do. A couple of years ago there was a study at the University of Illinois. They dropped over 200 USB sticks with the capability of phoning home when you plugged them in. Out of the 200 odd USB sticks over 45% of them were plugged in.

I would like to demonstrate how I used Azure Sentinel to proactively hunt for malicious activity from removable storage, more specifically a USB and if any code was executed after insertion on that machine.

Following this blog post will help you combat the injection of code from a USB device.

Here’sh how I used Azure Sentinel to collect data on the insertion of the USB device, detect if the USB is a threat, investigate the threat and actions it produced and– finally– how we should respond to the threat.

Below are some basic prerequisites– some essential, some not essential, but overall I would say these are all essential moving forward:

• Azure Experience (essential)
• IT Security Experience (essential)
• Basic Digital Forensics (not essential)
• Log Analytics (essential)
• Azure Sentinel (essential)
• A Physical Asset (essential)

Let’s dive straight in…

First, we need to deploy the Sentinel/Log Analytics Workspace agent to our demo machine.

• To do this, find your Log Analytics Workspace ID & Key located in “Advanced Settings”.
• Download the agent onto your machine and input the Workspace ID and Primary Key.

• Once connected, you should see it appear in the Virtual Machines Workspace Data Sources.
• Suggested long term goal would be to deploy the agent via SCCM, PowerShell or Azure Automation

Now we’ve got our machine reporting to our Workspace we need to configure a few more bits. We now need to configure data collection for that specific event log, which can be found in “Data”.

• Type “Microsoft-Windows-DriverFrameworks-UserMode/Operational” – then tick Error, Warning & Information and click Save.

For us to be able to gain insight into our log analytics from our demo machine, we must enable the Operational Log inside the Event Viewer on the demo machine as well, which we just installed the agent on, this will start capturing USB flash drive related events.

• This can be located here “event viewer” Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational
• Suggested long term goal would be to implement this via Group Policy.

When you connect a USB flash drive to your system, it will create a number of operational events. I’ve already done my due diligence and found the event IDs which we will need for our digital forensic investigation, which are:

• 2003
• 2004
• 2006
• 2010
• 2100
• 2101
• 2105
• 2106

I will now plug in my USB device on my demo machine. You’ll see the event viewer is now capturing the logs. Note the date and time; this will give you visibility into how quickly it gets detected in Azure Sentinel.

If we jump over to the Azure portal and click ‘Hunting’ in the Sentinel blade, we can add a new query to return the results we’re after.

• Paste in the above query and click Create. This will now create us our very own custom Hunting rule.

• Once created, click “Run Query”.

After literally seconds you’ll see that Sentinel has now collected that data, which we can now analyse.

If you drill down into one of the results, you can see all the data it’s collected, the deeper you dive it will show you what type of device it is.
It’s a USB, it shows my Laptop Name, you can see it’s a Kingston USB Device and it’s classed as an Event Level 4, which is informational and there’s more data to go analyze.

So far, we’ve got our machine reporting to Sentinel, we plugged in a USB and it’s recognizing the data in near real-time.

Now if we click one of the results we can Bookmark this for further investigation, which we will use in the second installment of this blog.

In Part 2 , I’ll continue with the same methodology but actually using a malicious USB Device, which will launch some malicious code once it’s inserted.