Detectionlowtest

USB Device Plugged

Detects plugged/unplugged USB devices

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Thu Nov 09Updated Tue Nov 301a4bd6e3-4c6e-405d-a9a3-53a116e341d4windows

Log Source

Windowsdriver-framework

ProductWindows← raw: windows

Servicedriver-framework← raw: driver-framework

Definition

Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog

Detection Logic

detection:
    selection:
        EventID:
            - 2003  # Loading drivers
            - 2100  # Pnp or power management
            - 2102  # Pnp or power management
    condition: selection

False Positives

Legitimate administrative activity

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1200 · Hardware Additions

Rule Metadata

Rule ID

1a4bd6e3-4c6e-405d-a9a3-53a116e341d4

Status

test

Level

low

Type

Detection

Created

Thu Nov 09

Modified

Tue Nov 30

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml

Raw Tags

attack.initial-accessattack.t1200

View on GitHub