Using Splunk to Monitor USB Removable Storage Devices

Using Splunk to Monitor USB Removable Storage Devices

By: Pete Chen | Splunk Practice Team Lead

 

Windows Event Log Monitoring

Abstract

Information security is only as effective as physical security policies. Splunk continues to be a valuable tool in providing insight into risk and threat detection. As more security operation centers (SOC’s) look to limit sensitive data being exposed, USB removable storage devices (thumb drives, external hard drives, cell phones with high capacity storage, and SD cards) introduce risk. These devices are helpful in providing a backup location for important documents and files. They can help in moving data from one system to another. They can also be used to steal data, or move them into an unsecured location. Using Splunk, a security team can now monitor when these devices are plugged into systems.

Using Windows

Windows information on USB devices can be found here:

Information on USB devices in Windows needs to be enabled before moving forward. The current default in administrative policy is to have this feature disabled. Enabling this feature will require administrative access to Windows.

Test Procedures

Devices
By default, the Windows logging option for operations is disabled. This means there is no historical data to draw upon. Once operational logging is enabled, it’s important to generate data by plugging in different devices. Record the time a device was plugged in, when the device was stopped via software, and when the device was physically removed.

Time – Insert Time – Stop Time – Remove Device
10:20am 10:23am 10:24am Generic USB Drive
10:29am 10:30am 10:31am Kingston Micro SD Card
10:33am 10:36am 10:37am Seagate USB External Drive
10:45am 10:52am 10:53am Western Digital External Hard Drive Micro USB

Different devices should produce different results, especially when vendor ID and device ID is recorded. A list of USB ID’s can be found here:
http://www.linux-usb.org/usb.ids

 

Adding Data to Splunk

Perform a series of tests (inserting and removing USB devices), and generate a log full of events to be exported. While it’s possible to ingest the data through the Splunk Add-On for Windows, doing so without the add-on will require exporting the log as a text file, where the fields were separated by Tab.
In Splunk, add the data using the UI. Select Add Data, and the Upload.

Based on how the data was exported from Windows, select the following sourcetype:

Structure >> TSV (Tab-Separated Value)

Create a new index, such as “wineventlog”, to group the events and make searching easier.

 

Event ID

Identifying Microsoft’s Event ID’s is one of the requirements in identifying when a USB device has been inserted. This helps to better refine a search for qualifying events, eliminating non-useful events from the group. A search was used in Splunk to count the number of event id’s seen in the logs.

The values of the event ID’s are:

1000 Startup of the driver manager service. The Driver Manager service started successfully
1003 Creation of a new driver host process. The Driver Manager service is starting a host process for device (Device){GUID}.
1004 Creation of a new driver host process. The host process ({GUID}) started successfully.
1006 Shutdown of a driver host process. The host process ({GUID}) is being asked to shutdown.
1008 Shutdown of a driver host process. The host process ({GUID}) has been shutdown.
2000 Startup of a new driver host process. The UMDF Host Process ({GUID}) is starting up.
2001 Startup of a new driver host process. The UMDF Host Process ({GUID}) started successfully.
2003 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has been asked to load drivers for device (Device).
2004 Loading drivers to control a newly discovered device. The UMDF Host is loading driver WUDFUsbccidDriver at level 0 for device (Device).
2005 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has loaded module C:\windows\System32\USER32.dll while loading drivers for device (Device).
2006 Loading drivers to control a newly discovered device. The UMDF Host successfully loaded the driver at level 0.
2010 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has successfully loaded drivers for device (Device).
2100 Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device).
2101 Pnp or Power Management operation to a particular device. Completed a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) with status 0x0.
2102 Pnp or Power Management operation to a particular device. Forwarded a finished Pnp or Power operation (RequestMajorCode, RequestMinorCode) to the lower driver for device (Device) with status 0x0.
2105 Pnp or Power Management operation to a particular device. Forwarded a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) to the lower driver with status 0xC00000BB
2106 Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) which was completed by the lower drivers with status 0x0
2900 Shutdown of a driver host process. The UMDF Host ({GUID}) has been asked to shutdown.
2901 Shutdown of a driver host process. The UMDF Host ({GUID}) has shutdown.

*Value labels represented inside < >, actual events will have specific values in place.

In reviewing the events, we concluded Event ID’s 1003, 2003, and 2102 provided the best group of events to identify when a device is inserted and removed, without being overly verbose. If Event Filtering is available prior to being ingested into Splunk, these events would be the most valuable. From what we have seen, 1003 seems to capture USB Removable Drives, but will not capture mobile devices. In addition, 2003 seems to capture MTP devices.

 

Splunk

The Search
Ultimately, the data with corresponding Event ID’s were used to formulate a search which would return relevant information about when a USB device was inserted or removed.

Line Notes

The Results

 

Future Consideration

In the search, important fields are pulled out which are not heavily used in the search above. GUID, Vendor ID, Product ID, device names can all be used to further elaborate on devices specifics, and correlate these events with other actions. The process GUID may be linked to a different process, potentially one which reveals actions taken from or to the removable USB device. It’s worth exploring further, and getting a more detailed analysis on USB Mass Storage Devices.

Want to learn more about using Splunk to monitor USB removable storage devices? Contact us today!