Windows.Detection.Thumbdrives.OfficeKeywords

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact automatically scans any office files copied to a removable drive for keywords. This could be useful to detect exfiltration attempts of restricted documents.

We exclude very large removable drives since they might have too many files.


name: Windows.Detection.Thumbdrives.OfficeKeywords
description: |
  Users inserting Thumb drives or other Removable drive pose a
  constant security risk. The external drive may contain malware or
  other undesirable content. Additionally thumb drives are an easy way
  for users to exfiltrate documents.

  This artifact automatically scans any office files copied to a
  removable drive for keywords. This could be useful to detect
  exfiltration attempts of restricted documents.

  We exclude very large removable drives since they might have too
  many files.

type: CLIENT_EVENT

parameters:
  - name: officeExtensions
    default: "\\.(xls|xlsm|doc|docx|ppt|pptm)$"
    type: regex

  - name: yaraRule
    description: This yara rule will be run on document contents.
    type: yara
    default: |
      rule Hit {
        strings:
          $a = "this is my secret" wide nocase
          $b = "this is my secret" nocase

        condition:
          any of them
      }

sources:
  - query: |
        SELECT * FROM foreach(
          row = {
            SELECT * FROM Artifact.Windows.Detection.Thumbdrives.List()
            WHERE OSPath =~ officeExtensions
          },
          query = {
            SELECT * FROM Artifact.Generic.Applications.Office.Keywords(
              yaraRule=yaraRule, searchGlob=OSPath, documentGlobs="")
          })