Using Splunk to Monitor USB Removable Storage Devices

By: Pete Chen | Splunk Practice Team Lead

 

Windows Event Log Monitoring

Abstract

Information security is only as effective as physical security policies. Splunk continues to be a valuable tool in providing insight into risk and threat detection. As more security operation centers (SOC’s) look to limit sensitive data being exposed, USB removable storage devices (thumb drives, external hard drives, cell phones with high capacity storage, and SD cards) introduce risk. These devices are helpful in providing a backup location for important documents and files. They can help in moving data from one system to another. They can also be used to steal data, or move them into an unsecured location. Using Splunk, a security team can now monitor when these devices are plugged into systems.

Using Windows

Windows information on USB devices can be found here:

Information on USB devices in Windows needs to be enabled before moving forward. The current default in administrative policy is to have this feature disabled. Enabling this feature will require administrative access to Windows.

Test Procedures

Devices
By default, the Windows logging option for operations is disabled. This means there is no historical data to draw upon. Once operational logging is enabled, it’s important to generate data by plugging in different devices. Record the time a device was plugged in, when the device was stopped via software, and when the device was physically removed.

Time – InsertTime – StopTime – RemoveDevice
10:20am10:23am10:24amGeneric USB Drive
10:29am10:30am10:31amKingston Micro SD Card
10:33am10:36am10:37amSeagate USB External Drive
10:45am10:52am10:53amWestern Digital External Hard Drive Micro USB

Different devices should produce different results, especially when vendor ID and device ID is recorded. A list of USB ID’s can be found here:
https://www.linux-usb.org/usb.ids

Adding Data to Splunk

Perform a series of tests (inserting and removing USB devices), and generate a log full of events to be exported. While it’s possible to ingest the data through the Splunk Add-On for Windows, doing so without the add-on will require exporting the log as a text file, where the fields were separated by Tab.
In Splunk, add the data using the UI. Select Add Data, and the Upload.

Screenshot of Splunk’s “Add Data” interface showing three main options: upload, monitor and forward, each represented by green icons.

Based on how the data was exported from Windows, select the following sourcetype:

Structure >> TSV (Tab-Separated Value)

Splunk interface showing the source type dropdown menu with categories like Application, Database, Email, Network & Security and Structured data formats like CSV and JSON.

Create a new index, such as “wineventlog”, to group the events and make searching easier.

Event ID

Identifying Microsoft’s Event ID’s is one of the requirements in identifying when a USB device has been inserted. This helps to better refine a search for qualifying events, eliminating non-useful events from the group. A search was used in Splunk to count the number of event id’s seen in the logs.

The values of the event ID’s are:

1000Startup of the driver manager service. The Driver Manager service started successfully
1003Creation of a new driver host process. The Driver Manager service is starting a host process for device (Device){GUID}.
1004Creation of a new driver host process. The host process ({GUID}) started successfully.
1006Shutdown of a driver host process. The host process ({GUID}) is being asked to shutdown.
1008Shutdown of a driver host process. The host process ({GUID}) has been shutdown.
2000Startup of a new driver host process. The UMDF Host Process ({GUID}) is starting up.
2001Startup of a new driver host process. The UMDF Host Process ({GUID}) started successfully.
2003Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has been asked to load drivers for device (Device).
2004Loading drivers to control a newly discovered device. The UMDF Host is loading driver WUDFUsbccidDriver at level 0 for device (Device).
2005Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has loaded module C:\windows\System32\USER32.dll while loading drivers for device (Device).
2006Loading drivers to control a newly discovered device. The UMDF Host successfully loaded the driver at level 0.
2010Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has successfully loaded drivers for device (Device).
2100Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device).
2101Pnp or Power Management operation to a particular device. Completed a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) with status 0x0.
2102Pnp or Power Management operation to a particular device. Forwarded a finished Pnp or Power operation (RequestMajorCode, RequestMinorCode) to the lower driver for device (Device) with status 0x0.
2105Pnp or Power Management operation to a particular device. Forwarded a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) to the lower driver with status 0xC00000BB
2106Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) which was completed by the lower drivers with status 0x0
2900Shutdown of a driver host process. The UMDF Host ({GUID}) has been asked to shutdown.
2901Shutdown of a driver host process. The UMDF Host ({GUID}) has shutdown.

*Value labels represented inside < >, actual events will have specific values in place.

In reviewing the events, we concluded Event ID’s 1003, 2003, and 2102 provided the best group of events to identify when a device is inserted and removed, without being overly verbose. If Event Filtering is available prior to being ingested into Splunk, these events would be the most valuable. From what we have seen, 1003 seems to capture USB Removable Drives, but will not capture mobile devices. In addition, 2003 seems to capture MTP devices.

Splunk

The Search
Ultimately, the data with corresponding Event ID’s were used to formulate a search which would return relevant information about when a USB device was inserted or removed.

Block of search query code written for Splunk using index filtering, renaming fields, regular expressions and eval statements to categorize device events.

Line Notes

Table listing Splunk query line numbers alongside notes that explain the purpose of each line, including filtering logs, creating fields and transforming time formats.

The Results

Search results table in Splunk showing columns like date_time, host, event_id, action, device and Vendor_id to track device connection events across a system.

Future Consideration

In the search, important fields are pulled out which are not heavily used in the search above. GUID, Vendor ID, Product ID, device names can all be used to further elaborate on devices specifics, and correlate these events with other actions. The process GUID may be linked to a different process, potentially one which reveals actions taken from or to the removable USB device. It’s worth exploring further, and getting a more detailed analysis on USB Mass Storage Devices.

Want to learn more about using Splunk to monitor USB removable storage devices? Contact us today!

[pardot-form id=”17340″ title=”Blog – Pete Chen – Using Splunk to Monitor USB Removable Storage Devices”]