Using Splunk to Monitor USB Removable Storage Devices
By: Pete Chen | Splunk Practice Team Lead
Windows Event Log Monitoring
Abstract
Information security is only as effective as physical security policies. Splunk continues to be a valuable tool in providing insight into risk and threat detection. As more security operation centers (SOC’s) look to limit sensitive data being exposed, USB removable storage devices (thumb drives, external hard drives, cell phones with high capacity storage, and SD cards) introduce risk. These devices are helpful in providing a backup location for important documents and files. They can help in moving data from one system to another. They can also be used to steal data, or move them into an unsecured location. Using Splunk, a security team can now monitor when these devices are plugged into systems.
Using Windows
Windows information on USB devices can be found here:
Information on USB devices in Windows needs to be enabled before moving forward. The current default in administrative policy is to have this feature disabled. Enabling this feature will require administrative access to Windows.
Test Procedures
Devices
By default, the Windows logging option for operations is disabled. This means there is no historical data to draw upon. Once operational logging is enabled, it’s important to generate data by plugging in different devices. Record the time a device was plugged in, when the device was stopped via software, and when the device was physically removed.
| Time – Insert | Time – Stop | Time – Remove | Device |
| 10:20am | 10:23am | 10:24am | Generic USB Drive |
| 10:29am | 10:30am | 10:31am | Kingston Micro SD Card |
| 10:33am | 10:36am | 10:37am | Seagate USB External Drive |
| 10:45am | 10:52am | 10:53am | Western Digital External Hard Drive Micro USB |
Different devices should produce different results, especially when vendor ID and device ID is recorded. A list of USB ID’s can be found here:
http://www.linux-usb.org/usb.ids
Adding Data to Splunk
Perform a series of tests (inserting and removing USB devices), and generate a log full of events to be exported. While it’s possible to ingest the data through the Splunk Add-On for Windows, doing so without the add-on will require exporting the log as a text file, where the fields were separated by Tab.
In Splunk, add the data using the UI. Select Add Data, and the Upload.
Based on how the data was exported from Windows, select the following sourcetype:
Structure >> TSV (Tab-Separated Value)
Create a new index, such as “wineventlog”, to group the events and make searching easier.
Event ID
Identifying Microsoft’s Event ID’s is one of the requirements in identifying when a USB device has been inserted. This helps to better refine a search for qualifying events, eliminating non-useful events from the group. A search was used in Splunk to count the number of event id’s seen in the logs.
The values of the event ID’s are:
| 1000 | Startup of the driver manager service. The Driver Manager service started successfully |
| 1003 | Creation of a new driver host process. The Driver Manager service is starting a host process for device (Device){GUID}. |
| 1004 | Creation of a new driver host process. The host process ({GUID}) started successfully. |
| 1006 | Shutdown of a driver host process. The host process ({GUID}) is being asked to shutdown. |
| 1008 | Shutdown of a driver host process. The host process ({GUID}) has been shutdown. |
| 2000 | Startup of a new driver host process. The UMDF Host Process ({GUID}) is starting up. |
| 2001 | Startup of a new driver host process. The UMDF Host Process ({GUID}) started successfully. |
| 2003 | Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has been asked to load drivers for device (Device). |
| 2004 | Loading drivers to control a newly discovered device. The UMDF Host is loading driver WUDFUsbccidDriver at level 0 for device (Device). |
| 2005 | Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has loaded module C:\windows\System32\USER32.dll while loading drivers for device (Device). |
| 2006 | Loading drivers to control a newly discovered device. The UMDF Host successfully loaded the driver at level 0. |
| 2010 | Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has successfully loaded drivers for device (Device). |
| 2100 | Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device). |
| 2101 | Pnp or Power Management operation to a particular device. Completed a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) with status 0x0. |
| 2102 | Pnp or Power Management operation to a particular device. Forwarded a finished Pnp or Power operation (RequestMajorCode, RequestMinorCode) to the lower driver for device (Device) with status 0x0. |
| 2105 | Pnp or Power Management operation to a particular device. Forwarded a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) to the lower driver with status 0xC00000BB |
| 2106 | Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) which was completed by the lower drivers with status 0x0 |
| 2900 | Shutdown of a driver host process. The UMDF Host ({GUID}) has been asked to shutdown. |
| 2901 | Shutdown of a driver host process. The UMDF Host ({GUID}) has shutdown. |
*Value labels represented inside < >, actual events will have specific values in place.
In reviewing the events, we concluded Event ID’s 1003, 2003, and 2102 provided the best group of events to identify when a device is inserted and removed, without being overly verbose. If Event Filtering is available prior to being ingested into Splunk, these events would be the most valuable. From what we have seen, 1003 seems to capture USB Removable Drives, but will not capture mobile devices. In addition, 2003 seems to capture MTP devices.
Splunk
The Search
Ultimately, the data with corresponding Event ID’s were used to formulate a search which would return relevant information about when a USB device was inserted or removed.
Line Notes
The Results
Future Consideration
In the search, important fields are pulled out which are not heavily used in the search above. GUID, Vendor ID, Product ID, device names can all be used to further elaborate on devices specifics, and correlate these events with other actions. The process GUID may be linked to a different process, potentially one which reveals actions taken from or to the removable USB device. It’s worth exploring further, and getting a more detailed analysis on USB Mass Storage Devices.
Want to learn more about using Splunk to monitor USB removable storage devices? Contact us today!
[pardot-form id=”17340″ title=”Blog – Pete Chen – Using Splunk to Monitor USB Removable Storage Devices”]