Monday, November 12, 2018

Monitoring USB Storage Activity with Splunk – Part II (Read/Write/Delete/Modify events)

By Tony Lee

Welcome to Part two in our series on Monitoring USB Storage Activity. In the first article (http://www.securitysynapse.com/2018/11/monitoring-usb-storage-activity-part-1.html), we examined what is required to monitor USB Storage connect and disconnect events. But how about activity that happens after the drives are connected? The good news is that this is also possible using Microsoft Windows Event logs and a bit of data crunching effort. In this article we will again use Splunk to aggregate, process, and display the logs. As a bonus, we will not only outline the steps to accomplish this task, but we will also provide working dashboard code at the end of the article.

Note: The Audit Removable Storage policy is only available in Windows 8 / 2008 and above—It is not available in Windows 7 / 2003.  ☹

Figure 1:  Dashboard provided at the end of the article


High-level steps

There are two main steps needed to accomplish this task. We need to generate and collect the Windows event logs and then we need to process and display the logs within Splunk. Each is outlined below.

Windows Event Generation
For Windows 8 / 2008 hosts and above, Microsoft USB activity logs can be enabled manually one machine at a time or via Group Policy (see references section below for instructions). For this demo, we will show how to enable it on one machine using Local Security Policy:  Advanced Audit Policy Configuration > System Audit Policies > Local Group > Object Access > Audit Removable Storage

Figure 2:  Enabling Audit of Removable Storage

Double click and audit for Success and Failure. After enabling auditing, we rebooted for good measure, because hey, this is Windows.

Activity Event IDs
Now that Audit Removable Storage is enabled, open Event Viewer > Windows Logs > Security.  Select Filter Current Log on the right-hand side and type in 4663 for event ID and click OK.  Insert a USB device and click the Refresh button on the right-hand side. If all is well, there should be multiple 4663 success events. Note that Event ID 4656 is used for failures.


Figure 3:  Testing 4663 and 4656 event visibility

Feel free to explore the data within each event but take note that for USB auditing the events that we care about have a Task Category of “Removable Storage”. For convenience we provide a file delete event below:

XX/XX/XXXX 05:54:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=DESKTOP-8HSPO8Q
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=1211
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-21-XXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX
Account Name: User
Account Domain: DESKTOP-8HSPO8Q
Logon ID: 0x229E9

Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume7\New Microsoft Word Document.docx
Handle ID: 0x1404
Resource Attributes:

Process Information:
Process ID: 0x17b4
Process Name: C:\Windows\explorer.exe

Access Request Information:
Accesses: DELETE

Access Mask: 0x10000



Windows Event Collection
Now that the logs are being generated, they need to be forwarded from the endpoints to a central location—in this case Splunk. This task could be accomplished using a number of methods such as Windows Event Collector (WEC), a Splunk Universal Forwarder agent, or some other forwarding method. For this demo, we will use a Splunk Universal Forwarder shown in next section.

Splunk

While we are assuming a functional Splunk Enterprise installation exists, we still need to collect the logs. We provide a sample Splunk Universal Forwarder configuration file below to help those using the Splunk Universal Forwarder. Note: we will be placing the events into an index called wineventlog. If this index does not already exist, you will first need to create it.

inputs.conf 
Located on the Windows endpoint (Usually found here:  C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf)

[WinEventLog://Security]
index = wineventlog
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
whitelist = 4663, 4656


Once the inputs.conf file is properly configured (and the universal forwarder restarted) to collect these logs from the endpoint, we need to verify that the logs are reaching Splunk. Try running the following Splunk search:

index=wineventlog 


If you see results, try something more specific, such as either of the following:

index=wineventlog EventCode=4663
index=wineventlog EventCode=4656


Conclusion

Now that we have the proper event IDs flowing into Splunk, we created a Removable Storage Activity dashboard. The dashboard provides statistical analysis for top accounts, hostname, actions, and processes. It even includes events over time by hostname and action along with the details needed to investigate USB connections. Because there may be applications within an environment that scan or interact with removable storage, it may be necessary to add some filters to reduce noise which can be customized for each environment. For your convenience, we included the dashboard code below.

Acknowledgement and References

https://www.eventtracker.com/tech-articles/tracking-removable-storage-windows-security-log/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj574128(v=ws.11)


Dashboard Code

The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of wineventlog. Feel free to adjust as necessary. Splunk dashboard code provided below:


<form>
  <label>Removable Storage Activity</label>
  <description>index=wineventlog EventCode=4663 TaskCategory="Removable Storage"</description>
  <fieldset autoRun="true" submitButton="true">
    <input type="time" token="time">
      <label>Time Range</label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
    <input type="text" token="wild">
      <label>Wildcard Search</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="Accesses">
      <label>Actions (Accesses)</label>
      <choice value="*">All</choice>
      <choice value="ReadData (or ListDirectory)">ReadData (or ListDirectory)</choice>
      <choice value="WriteData (or AddFile)">WriteData (or AddFile)</choice>
      <choice value="AppendData (or AddSubdirectory or CreatePipeInstance)">AppendData (or AddSubdirectory or CreatePipeInstance)</choice>
      <choice value="DELETE">DELETE</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>Accesses="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Total events</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <table>
        <title>Top Account_Domain</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Account_Domain</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top ComputerName</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 ComputerName</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Account_Name</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Account_Name</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Top Accesses</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Accesses</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Process_Name</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | top limit=0 Process_Name</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Activity Over Time</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | eval ComputerAction = ComputerName + ":" + Accesses | timechart count(ComputerAction) by ComputerAction</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Details</title>
        <search>
          <query>index=wineventlog EventCode=4663 TaskCategory="Removable Storage" $wild$ $Accesses$ | dedup _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name | table _time, Account_Domain, ComputerName, Account_Name, Accesses, Process_Name, Object_Name</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>



15 comments:

  1. Hi,

    I followed the steps but still not able to see events 4663 and 4665 in Event Viewer. Is there anything missing?

    ReplyDelete
    Replies
    1. Hmmm... Let's go down a quick checklist:
      1) You enabled the control via group or local policy?
      2) Windows 8 / 2008 and above?
      3) Did you reboot for good measure?
      4) You plugged in a device right?
      5) Do you have any device control software preventing the drive from mounting, which may prevent the event ID?

      Let us know!

      Delete
  2. 1) You enabled the control via group or local policy? Local Policy
    2) Windows 8 / 2008 and above? Win 10
    3) Did you reboot for good measure? Yes
    4) You plugged in a device right? Yes
    5) Do you have any device control software preventing the drive from mounting, which may prevent the event ID? No

    Also Part I worked great for USB Pen Drives but not for USB Hard Drives Can you please explain how to detect all kind of USB Devices when pluggedin.

    Thank you

    ReplyDelete
    Replies
    1. Interesting... Ensure you are auditing for Success and Failure. Also, be sure to check the windows security event logs on the local system using event viewer to make sure they are being generated. If they are generated, it is a Splunk issue. If they are not being generated, it is a Windows event logging issue.

      Also in regards to the USB hard drives vs. thumb drives.... they should both be detected.

      Delete
  3. Auditing for Success and Failure? Yes
    Windows Security Event logs generated? yes

    just see Thumb drives in Splunk but not USB Hard Drives the counter not even go up or down when plugin USB Hard Drives

    I see number of logs go up in splunk.

    for USB Hard Drives do they use different Event ID?

    ReplyDelete
    Replies
    1. Should be the same event ID. First try to find the log in the Windows Event log. That way you eliminate Splunk from being the potential cause.

      So it sounds like you are generating the Windows Security Event, but it is not being sent to Splunk? If that is the case, it is probably the Universal forwarder config. Remember when you change the UF config, you also need to restart the Splunk UF service to read in the config again.

      Delete
  4. Thank you getting back to me quickly.

    Logs are there in Windows Event log, Splunk Universal forwarder is configured and sending logs to Splunk.


    Only issue is the USB Hard Drives otherwise Thumb Drives shows up in Splunk, but when i plugin USB Hard Drives the counter wont increment in the Dashboard stay the same.

    ReplyDelete
    Replies
    1. Thanks for confirming the logs.

      Do you have other USB hard drives to confirm this with? I believe I used a Western Digital Passport to confirm functionality at one point?

      Delete
  5. looks like its a different log message in Splunk for Thumb Drive and USB Hard Drive or even for Phones.

    USB Hard Drive Message is:
    The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000.

    USB Thumb Drive:
    The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_GLIDE_3.0&REV_1.00#4C530000100930118272&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}.

    Iphone:
    The UMDF Host Process ({a5dcff3f-af0e-4aee-b7e1-4ca2183c76eb}) has been asked to load drivers for device USB\VID_05AC&PID_12A8&MI_00\7&472CBA0&0&0000.


    Thumb Drive shows Vendor and your field extraction work for Thumb Drive but nor for Other USB Devices.

    Any solution to this?

    Thank you

    ReplyDelete
    Replies
    1. Did you check the other event IDs for anything that would be a better fit? You are probably using event ID 2003 for this? How about any of these:
      2004
      2006
      2010
      2100
      2101
      2105
      2106

      Delete
  6. I tried above mentioned event IDs for Western Digital Passport did not work. Please see messages for event ID 2004 & 2003 for Western Digital Passport


    Message
    The UMDF Host is loading driver WpdFs at level 0 for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000.

    Event ID 2003
    The UMDF Host Process ({510b5eb8-b9fb-4f2f-bd3c-320f6db1eaec}) has been asked to load drivers for device SWD\WPDBUSENUM\{92047E88-F82B-11EA-8570-00224D50661A}#000000AA60D00000.

    ReplyDelete
    Replies
    1. Interesting... Need to see if I can replicate or research. Let me know if you find something first.

      Delete
  7. looks like you have to do some extraction based on Vendor ID.
    the message for Iphone shows USB\VID_05AC not USBSTOR#DISK.

    ReplyDelete
  8. Great guide Tony! Thank you so much for posting :)

    I had a issue of being able to see EventCode 2003 and 2102 in Event Viewer and subsequently in Splunk (part1 of this series), but not EventCode 4663. Followed this guide: https://www.surfacetablethelp.com/2018/12/removable-storage-inspection-not-generate-4663-events-logged-with-windows-10-1809.html.

    Now I can see the events in both Event Viewer and Splunk :)

    ReplyDelete
    Replies
    1. Glad you found it useful and thanks for the additional resource! We appreciate it. Have an awesome day.

      Delete