Run yara over usb when USB is plugged into machine. Return context and hit details.
This artifact requires:
Yara rule deployed and target path can be modified.
name: Windows.Detection.USBYara
author: Matt Green - @mgreen27
description: |
Run yara over usb when USB is plugged into machine. Return context
and hit details.
This artifact requires:
* Exchange.Windows.Monitor.USBPlugIn (imported from Exchange)
* Generic.Detection.Yara.Glob
Yara rule deployed and target path can be modified.
type: CLIENT_EVENT
parameters:
- name: TargetGlob
default: '/**.lnk'
- name: PayloadYara
default: |
rule recyclebin_lnk{
meta:
description = "AvastSvcpCP lnkfile"
author = "@mgreen27"
date = "2021-11-18"
strings:
$s1 = "AvastSvcpCP" wide nocase
$s2 = "cefhelper.exe" wide nocase
$s3 = "RECYCLER.BIN" wide nocase
$s4 = "wsc.zip" wide nocase
$s6 = "/q /c" wide nocase
$s8 = "S-1-5-21-1063499884-3365855816-3691837489-1000" wide nocase
$s9 = "Xayemarlwin-pc" wide nocase
condition:
int16(0) == 0x004c and any of them
}
sources:
- query: |
SELECT * FROM foreach(
row={ SELECT DriveName,TimeCreated FROM Artifact.Exchange.Windows.Monitor.USBPlugIn() },
query={
SELECT
TimeCreated as EventTime,
{ SELECT Fqdn from info() } as Hostname,
FullPath,Size,
dict(Mtime=Mtime,Atime=Atime,Ctime=Ctime,Btime=Btime) as SITimestamps,
Rule,Meta,
HitContext,HitOffset,
{
SELECT Name, FileSystem,Description,FreeSpace,Size,VolumeSerialNumber,VolumeName
FROM wmi(query='SELECT * FROM Win32_logicaldisk WHERE DeviceID = "' + DriveName + '"',namespace='ROOT/CIMV2')
} as DiskInfo
FROM Artifact.Generic.Detection.Yara.Glob(PathGlob=DriveName + TargetGlob,YaraRule=PayloadYara)
})