ForeScout Alert Details
Alert ID: FORESCOUT-HW-ADD-7842
Alert Time: 2024-02-11 13:45:22 EST
Severity: HIGH (82/100)
Source: ForeScout CounterACT
Rule: “Unauthorized USB Device – BadUSB Characteristics”
MITRE ATT&CK: T1200 – Hardware Additions
Alert Details:
Device Detection:
– Host: RND-WS-056 (Research & Development)
– User: cpark (Chris Park, Research Scientist)
– Time: 13:42 EST
– USB Port: Front panel
USB Device Details:
– Vendor ID: 0781 (SanDisk)
– Product ID: 5583
– Serial: 4C530110730123119471 (spoofed/invalid)
– Reported Name: “SanDisk Ultra Fit”
– Reported Capacity: 32GB
– Actual Capacity: 16GB (hidden partition detected)
Anomaly Detection:
– Device Type: Mass Storage + HID Keyboard composite device
– HID Keyboard capability: Can emulate keystrokes (BadUSB)
– Driver Signature: Unsigned (violates policy)
– First connection: Never seen before in environment
– Policy Violation: Unauthorized USB device with HID capabilities
Additional Context:
– R&D department has strict USB policies
– User has no approved USB device exception
– Device connected immediately after user returned from lunch
– Building access logs: User badge used at 13:30 (return from lunch)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ForeScout alert
ForeScout Console
Confirmed unauthorized USB with HID capabilities
2. Immediate Containment
Disable USB port remotely
ForeScout, Network Access Control
USB port disabled; host quarantined
3. Physical Security
Dispatch security to user location
Security Team, Badge Logs
User located; USB device confiscated
4. Endpoint Scan
Check for malware execution
CrowdStrike Falcon
No evidence of keystroke injection or malware
5. User Interview
Interview user about device
HR, Security
User found device in parking lot; plugged in to “see what was on it”
6. Device Analysis
Forensically examine USB
FTK Imager, Sandbox
Device contains BadUSB firmware; hidden partition with payloads
Jira Incident Report
Ticket: SOC-2024-060
Summary: T1200 – Hardware Additions – BadUSB Device Connected in R&D
Status: RESOLVED
Resolution: MALICIOUS – Device Confiscated, No Compromise
Priority: P1 – HIGH
Labels: T1200, hardware-additions, badusb, removable-media, forescout, r&d
Components: Endpoint-Security, Physical-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ForeScout CounterACT (NAC + Device Control).
Alert: “Unauthorized USB Device – BadUSB Characteristics”.
Host: RND-WS-056 (R&D Department, user cpark).
Time: 2024-02-11 13:45 EST.
Technique: MITRE ATT&CK T1200 – Hardware Additions.
2. Technical Analysis:
Device Details:
Physical Appearance: SanDisk Ultra Fit (spoofed)
Actual Function: BadUSB device with HID keyboard emulation
Vendor/Product ID: Spoofed legitimate SanDisk IDs
Serial Number: Invalid (manufacturer-reserved range)
Partitions: Visible 16GB + Hidden 16GB (encrypted)
Capabilities:
Can emulate keyboard to inject keystrokes
Hidden partition contains:
PowerShell reverse shell scripts
Keylogger installer
Cobalt Strike beacon (packed)
Auto-run functionality disabled by policy
User Actions:
User found device in parking lot at 13:25
Returned to desk at 13:30
Plugged in device at 13:42
ForeScout detected and blocked immediately
No keystroke injection occurred (policy blocked HID)
Endpoint Status:
CrowdStrike scan: No malware execution
No registry changes
No persistence installed
3. Investigation Findings:
Timeline:
13:25 – User finds USB in parking lot
13:30 – User returns to desk
13:42 – User plugs in USB
13:42 – ForeScout detects unauthorized device
13:45 – ForeScout alert generated
13:46 – SOC investigation begins
13:47 – USB port disabled remotely
13:50 – Security dispatched
13:55 – Device confiscated
Indicators of Compromise (IoCs):
USB Device:
– VID: 0781, PID: 5583 (spoofed)
– Serial: 4C530110730123119471
– Name: “SanDisk Ultra Fit”
Files on Hidden Partition:
– inject.exe (SHA256: a1b2c3…)
– keylogger.dll (SHA256: d4e5f6…)
– beacon.bin (SHA256: g7h8i9…)
4. Containment Actions:
Immediate Actions (13:45-13:55 EST):
USB port disabled via ForeScout policy.
Host quarantined from network.
Device confiscated by security.
User interviewed; HR notified.
Endpoint Remediation:
Full scan with CrowdStrike (clean).
No reimage needed (no execution).
Policy Update:
Immediate reminder to all employees about USB security.
Enhanced physical security patrols in parking areas.
5. Root Cause Analysis:
Primary Cause: User plugged in unknown USB device found in parking lot.
Contributing Factors:
Curiosity overcame security training.
No physical security controls in parking lot.
Device designed to look legitimate.
6. Business Impact:
Operational Impact: R&D workstation offline for 2 hours.
Data Exposure: None (device blocked before execution).
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Device confiscated and analyzed.
User disciplined and re-trained.
Policy reminder sent company-wide.
Technical Controls Enhanced:
ForeScout policy updated to block all HID-capable USB devices.
Enabled Windows Defender Device Control to block unauthorized VID/PID combinations.
Added USB awareness to quarterly security training.
8. Conclusion:
This incident involved a BadUSB device planted in the parking lot and connected by an employee. ForeScout’s device control detected the unauthorized HID-capable device and blocked it before any keystroke injection could occur. No compromise resulted.
Closure Rationale: Device confiscated; user educated; technical controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 15:30 EST
End of Batch 4
Ready for your next batch of prompts whenever you are.
Batch 5: Initial Access & Execution Incident Reports
Here are the next 5 detailed SOC incident reports.