Adversaries may use USB disk drives to exfiltrate data or deploy malware by triggering antivirus detections through malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data theft via removable media.
KQL Query
let usbDetections =
DeviceEvents
| where ActionType == "AntivirusDetection" and FolderPath !startswith "c" and FolderPath matches regex "^[A-Za-z]{1}"
| extend ParsedFields=parse_json(AdditionalFields)
| project DetectionTime=Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath;
//Get a list of USB disk drive connections, grouped by computer name and DeviceID
let usbConnections =
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName)
| where ClassName == "DiskDrive"
| summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;
//Join USB AV detections and connections, where the detection occurs after the USB has been plugged in
usbDetections | join kind=inner (usbConnections) on DeviceName | where DetectionTime > UsbFirstSeen and DetectionTime < UsbLastSeen
| project DetectionTime, DeviceName, ThreatName, FileName, FolderPath, DeviceId, UsbFirstSeen, UsbLastSeen
| sort by DetectionTime desc
id: 12198f2f-c53b-4617-8df8-120c66cbb373
name: AV Detections with USB Disk Drive
description: |
This query make a best-guess detection regarding which removable media device caused an AV detection.
The query is best run over 30 days to get the full USB history.
Get a list of USB AV detections. This assumes any path not beginning with C is a removable/USB device.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let usbDetections =
DeviceEvents
| where ActionType == "AntivirusDetection" and FolderPath !startswith "c" and FolderPath matches regex "^[A-Za-z]{1}"
| extend ParsedFields=parse_json(AdditionalFields)
| project DetectionTime=Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath;
//Get a list of USB disk drive connections, grouped by computer name and DeviceID
let usbConnections =
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName)
| where ClassName == "DiskDrive"
| summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName;
//Join USB AV detections and connections, where the detection occurs after the USB has been plugged in
usbDetections | join kind=inner (usbConnections) on DeviceName | where DetectionTime > UsbFirstSeen and DetectionTime < UsbLastSeen
| project DetectionTime, DeviceName, ThreatName, FileName, FolderPath, DeviceId, UsbFirstSeen, UsbLastSeen
| sort by DetectionTime desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: System Restore Point Creation
Description: A system restore point is created using a USB drive containing backup images. The AV tool may flag the USB drive due to its presence during the restore process.
Filter/Exclusion: Exclude USB devices used for system restore or backup operations (e.g., device_name = "System Restore USB" or process_name = "wbadmin.exe").
Scenario: Admin Task: USB Drive for Software Deployment
Description: An admin uses a USB drive to deploy software to multiple endpoints. The AV tool may flag the USB drive due to the presence of installation files.
Filter/Exclusion: Exclude USB devices used for software deployment (e.g., device_name = "Deployment_USB" or process_name = "setup.exe").
Scenario: Scheduled Job Using USB Drive
Description: A scheduled job runs from a USB drive that contains scripts or tools used for routine maintenance. The AV may flag the USB due to the presence of executable files.
Filter/Exclusion: Exclude USB devices used for scheduled jobs (e.g., device_name = "ScheduledJob_USB" or process_name = "schtasks.exe").
Scenario: User-Initiated File Transfer via USB
Description: A user transfers files between devices using a USB drive. The AV may flag the USB drive due to the presence of unknown or suspicious files.
Filter/Exclusion: Exclude USB devices used for legitimate file transfers (e.g., device_name = "User_USB" or process_name = "explorer.exe").
Scenario: Antivirus Quarantine or Cleanup via USB
Description: An admin uses a USB drive to move quarantined files or perform a cleanup operation. The AV may flag the USB drive due to the presence of quarantined files.
*Filter