Query for when PowerShell execution policy is set to Bypass

index=”windows” sourcetype=WinRegistry key_path=”HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy” | table _time, host, registry_type, registry_value_data, registry_value_name | rename host as Host, registry_type as Action, registry_value_data as “Registry Value”, registry_value_name as “Registry Value Name”

Continue Reading →

Removal of USB Storage Device

This query will detect if any USB storage device was removed from a Windows machine (confirmed on Windows 7). sourcetype=WinRegistry key_path=”HKLM\\system\\controlset*\\enum\\usbstor\\*”  process_image=”c:\\Windows\\System32\\svchost.exe”  registry_type=DeleteKey | eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”) | rex “key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S” | stats count by Date, host, Vendor, Product, DeviceType   | fields  – count   | sort  – Date

Continue Reading →

USB and Removable Media Detection

This splunk query will show information about USB mass storage device uses. You must be monitoring the registry using the Windows Technology Add-on (TA). sourcetype=WinRegistry key_path=”HKLM\\system\\controlset*\\enum\\usbstor\\*”  registry_type=CreateKey | eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”) | rex “key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S”   | stats  count by Date, host, Vendor, Product, DeviceType   | fields  – count   | sort  – Date

Continue Reading →