Hunting USB Devices with Azure Sentinel – Part 2

In Part 1 of my previous blog post, I demonstrated how to enable USB Logging to Collect the Data from a USB Device that has been inserted into a demo machine.

I will now run through the same process, but using a malicious USB device which, when plugged in, executes a PowerShell script to download a file onto my machine.

• Let’s first check if any current suspicious PowerShell scripts have recently been found. Checking this can be done in the “Logs” section of Sentinel.
• Paste the query below in, hopefully nothing should display …yet.
SecurityAlert
| where ProviderName == "Detection"
| where DisplayName == "Suspicious Powershell Activity Detected"
| order by TimeGenerated desc
• Now let’s plug in my device and we can see what happens.
• If we run our previous query in Part 1, we should see our USB Device pop up.

• Now let’s re-run our Security query to check for PowerShell activity.

So you can see below that Sentinel has detected suspicious activity after the USB insertion.

If we drill down further, you can see there was some malicious code executed.

On further investigation, you can see that a payload was injected as soon as the USB was plugged in. The payload ran a malicious PowerShell script which, after further investigation, found that it downloaded a file and copied this file to my computer.

The one-liner is actually launching Command Prompt, which then opens PowerShell to bypass UAC and download a file to the C:\temp drive.

If we have a look at the extended properties, it gives us a more clear visual representation.

Now let’s take a look at the file it’s downloaded.

How crazy is that!

A USB got plugged in at 09:12, launched a malicious CMD which spawned a PowerShell session which downloaded a file to my machine all within a few seconds.

Going forward, I need to be notified by email as soon as this happens, so let’s create a basic Playbook (Logic App) which will email me as soon as this alert is triggered and because I love automation, this part was really cool.

• Hop over to Sentinel and click “Playbooks” then Add playbook, fill in the required information and click Create
• Once your playbook is created we need to select “Blank Logic App”
• Search “Sentinel” within the connections and triggers bar.

At the time of writing this there is only 1 Trigger for Sentinel.

• Make your connection to Sentinel.

• Next click “+ New Step” and search for YOUR email action, for me, I’ll be using Outlook.com
• Fill in the Body, Subject and To section with which ever information you’d like to be emailed once an alert is triggered.

I’ve done some basic formatting inside the body of the email, so my email alert makes sense and is laid out nicely.

• Click Save, we can now attach our playbook to the security query. For us to be notified of this, we need to create a Scheduled Analytic Query Rule.
• Click “Analytics” and “Create – Scheduled query Rule”

• Click “next” to create the Rule Logic and paste in the above query.

Here I’ve defined that I want to be alerted on any detections that contain “Suspicious PowerShell Activity Detected”. You can set your own frequency depending on your requirements. As with Log Analytics, the lowest frequency is 5 minutes.

• Run through the rest of the setup and Save.

Now I’m going to repeat the same steps as before. I’m going to plug my USB back into my demo machine which contains a malicious script to download a file onto my machine, and after 2-3 minutes I got an email.

Now the great thing about that playbook we made is that we can assign it to multiple analytic rules, so you can make as many playbooks as you want, incorporating different methods and assign whichever ones you wish to that alert. If you have a team of Security Analysts proactively hunting for threats, then they should be able to pick this up very quickly. Using Sentinels built-in queries are , but you may want to create your own. Collecting all your logs is great, but that’s not providing any prevention. Collection isn’t Detection.