Detectionlowtest

External Disk Drive Or USB Storage Device Was Recognized By The System

Detects external disk drives or plugged-in USB devices.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Keith WrightCreated Wed Nov 20Updated Fri Feb 09f69a87ea-955e-4fb4-adb2-bb9fd6685632windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection_eid:
        EventID: 6416
    selection_field:
        - ClassName: 'DiskDrive'
        - DeviceDescription: 'USB Mass Storage Device'
    condition: all of selection_*

False Positives

Likely

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement TA0001 · Initial Access

Techniques

T1091 · Replication Through Removable Media T1200 · Hardware Additions

Rule Metadata

Rule ID

f69a87ea-955e-4fb4-adb2-bb9fd6685632

Status

test

Level

low

Type

Detection

Created

Wed Nov 20

Modified

Fri Feb 09

Author

Keith Wright

Path

rules/windows/builtin/security/win_security_external_device.yml

Raw Tags

attack.t1091attack.t1200attack.lateral-movementattack.initial-access

View on GitHub