Hardware Additions Attack (T1200)

by

EDR Alert Details: Unauthorized Hardware Detection

Alert Time: 2024-01-18 10:15:34 EST
Alert Source: CrowdStrike Falcon EDR
Alert ID: FALCON-ALERT-HW-7842
Severity: HIGH (87/100)
MITRE ATT&CK: T1200 – Hardware Additions

Affected System:

  • Hostname: MKT-WS-112
  • IP Address: 192.168.45.112
  • User: jwilson (Marketing Department)
  • Location: Floor 2, Marketing Department
  • OS: Windows 10 Enterprise 22H2

Alert Description:

Detection: Unauthorized USB Mass Storage Device Installation with Malicious Payload Execution
Rule: "Hardware-Based Persistence Attempt"
Confidence: 98%

Event Chain:
10:14:22 - Unknown USB Device Connected (VID_0781&PID_55A3)
10:14:35 - Driver Installation: "Generic Mass Storage Driver v2.1"
10:14:48 - Device Control Policy Violation - Unsigned Driver Bypass
10:15:02 - Registry Modification: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
10:15:15 - Process Creation: C:\Windows\Temp\update_scan.exe
10:15:22 - Network Connection Attempt: 185.243.115[.]67:443
10:15:34 - Alert Generated: "USB Device with Embedded Malware Detected"

Device Information:
- Reported Name: "SanDisk Ultra Fit"
- Vendor ID: 0781 (SanDisk Corporation)
- Product ID: 55A3 
- Serial: 4C530110730123119471 (Invalid/Manufacturer Reserved)
- Capacity: 16GB (8GB Visible + Hidden Partition)
- Driver Publisher: "Unknown Publisher"

Threat Intelligence Context:

  • IP 185.243.115[.]67 associated with FIN7 (Carbanak Group)
  • Similar USB-based attacks targeting marketing departments in retail sector
  • Device serial number pattern matches known BadUSB campaigns

SOC Investigation & Response Process

Phase 1: Initial Triage (10:15-10:30 EST)

Tools: CrowdStrike Falcon Console, Splunk SIEM, Active Directory

  1. Alert Validation:
    • Verified alert in CrowdStrike Falcon console
    • Cross-referenced with Windows Security Event Logs (Event ID 6416)
    • Checked user’s physical location via badge access system
  2. Immediate Containment:
    • Initiated network isolation via CrowdStrike Falcon Containment
    • Disabled user account in Active Directory
    • Blocked malicious IP at firewall (Palo Alto Networks)
    • Sent security guard to confiscate USB device
  3. Initial Assessment:
    • Contacted user via phone – reported finding USB in parking lot labeled “Q4 Marketing Plans”
    • Verified user had no scheduled USB device usage
    • Checked department policy exceptions (none for marketing)

Phase 2: Forensic Analysis (10:30-12:00 EST)

Tools: Velociraptor, Autopsy Forensic Browser, Wireshark, VirusTotal API

  1. Endpoint Forensics:
    • Memory Capture: Used Velociraptor to dump RAM from isolated host
    • Disk Imaging: Created forensic image via FTK Imager Lite
    • Registry Analysis: Extracted USB mounting artifacts and AutoRun entries
    • File System Timeline: Built SuperTimeline of file system changes
  2. Malware Analysis:
    • Static Analysis: Uploaded update_scan.exe to VirusTotal (68/72 detections)
    • Dynamic Analysis: Executed in ANY.RUN sandbox – identified as Cobalt Strike beacon
    • Network Analysis: Captured packet capture of C2 communication attempt
  3. USB Device Analysis:
    • Hardware Examination: Device had physically altered casing
    • Firmware Analysis: Identified BadUSB firmware with HID keyboard emulation capabilities
    • Hidden Partition: 8GB encrypted partition containing additional payloads

Phase 3: Threat Hunting & Scope Assessment (12:00-13:30 EST)

Tools: Splunk Enterprise Security, Tanium, Microsoft Defender for Identity

  1. Enterprise-Wide Search:splunkindex=endpoint sourcetype=WinEventLog:Security EventCode=6416 | stats count by ComputerName, DeviceDescription, _time | where count > 1 AND _time > relative_time(now(), “-7d”)
    • Found 3 other marketing workstations with similar USB events in past week
    • No successful executions on other systems
  2. Lateral Movement Check:
    • No RDP/SMB connections from compromised host
    • No credential dumping tools detected
    • Azure AD logs showed no suspicious authentication attempts
  3. Data Exfiltration Assessment:
    • Reviewed Data Loss Prevention (DLP) logs – no large file transfers
    • Firewall egress logs showed only blocked C2 attempts
    • Email security gateway showed no suspicious attachments sent

Phase 4: Containment & Eradication (13:30-15:00 EST)

Tools: Microsoft Endpoint Manager, Active Directory, Group Policy

  1. Immediate Containment Actions:
    • Workstation removed from network via switch port shutdown (Cisco ISE)
    • User account password reset with MFA re-enrollment
    • USB device physically destroyed after evidence collection
  2. Malware Eradication:
    • Booted from clean WinPE environment
    • Removed registry keys:
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update_scan
      • HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_0781&PID_55A3
    • Deleted malicious files and scheduled tasks
    • Cleared prefetch and ShimCache entries
  3. Persistence Removal:
    • Removed WMI event subscriptions
    • Cleared suspicious services
    • Reset Group Policy to secure baseline

Phase 5: Recovery & Hardening (15:00-16:30 EST)

Tools: Microsoft Deployment Toolkit, Microsoft Intune, Nessus

  1. System Restoration:
    • Re-imaged workstation using MDT
    • Applied latest security patches and updates
    • Restored user data from OneDrive (verified clean)
  2. Security Control Enhancements:
    • Updated Device Control GPO: Block all unauthorized USB devices
    • Enabled Windows Defender Application Control for removable media
    • Implemented USB Restricted Mode via Microsoft Intune
    • Deployed BIOS-level USB restrictions
  3. Policy Updates:
    • Revised USB device usage policy for marketing department
    • Implemented mandatory security awareness training
    • Created incident response playbook for hardware attacks

Jira Incident Report

Ticket: SOC-INC-2024-018
Status: RESOLVED
Priority: P1 – HIGH
Components: Endpoint-Security, Incident-Response, Physical-Security
Labels: T1200, hardware-addition, USB-threat, marketing-department, edr-detection
Assignee: Senior SOC Analyst
Reporter: EDR Automated Alerting

Incident Analysis: Unauthorized Hardware Addition (MITRE ATT&CK T1200)

1. Executive Summary

On January 18, 2024, at 10:15 EST, CrowdStrike Falcon EDR detected a Hardware Additions attack involving unauthorized USB device installation on marketing workstation MKT-WS-112. The attack leveraged social engineering (USB drop in parking lot) and attempted to establish C2 communication with known threat actor infrastructure. Immediate containment prevented data exfiltration or lateral movement.

2. Incident Timeline

10:14:22 - USB device connected to MKT-WS-112
10:15:34 - EDR alert generated, automated containment initiated
10:16:00 - SOC analyst assigned, investigation begins
10:20:00 - Workstation network isolation confirmed
10:25:00 - User account disabled, physical security alerted
10:30:00 - Forensic collection initiated (memory, disk image)
11:15:00 - Malware analysis completed (Cobalt Strike beacon)
12:30:00 - Threat hunting confirms no lateral movement
13:45:00 - System remediation begins
15:30:00 - Workstation re-imaged and hardened
16:00:00 - User re-educated, policies updated
16:30:00 - Incident resolved

3. Technical Findings

Attack Vector Analysis:

  • Initial Access: Physical USB device (spoofed SanDisk Ultra Fit)
  • Execution: AutoRun registry modification → update_scan.exe execution
  • Persistence: WMI event subscription for persistence
  • C2 Communication: TLS-encrypted beacon to 185.243.115[.]67:443
  • Capabilities: Keylogging, screenshot capture, reverse shell

Forensic Evidence:

File System Artifacts:
- C:\Windows\Temp\update_scan.exe (SHA256: 7a3f9b2c8d1e5f6a...)
- C:\Users\jwilson\AppData\Local\Temp\cs_beacon.dll
- C:\Windows\Prefetch\UPDATESCAN.EXE.pf

Registry Modifications:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update_scan
- HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_0781&PID_55A3
- HKU\S-1-5-21-...\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Network Indicators:
- Destination: 185.243.115[.]67:443
- Protocol: TLS 1.3 with custom cipher suite
- Beacon Interval: 180 seconds

4. Containment Actions

Immediate Containment (10:15-10:30 EST):

  • ✅ Network isolation via CrowdStrike Falcon Containment
  • ✅ User account disabled (Active Directory)
  • ✅ Malicious IP blocked at firewall and DNS
  • ✅ Physical device confiscated by security

Forensic Collection (10:30-12:00 EST):

  • ✅ Memory dump captured via Velociraptor
  • ✅ Disk image created for offline analysis
  • ✅ Registry and file system artifacts preserved
  • ✅ Network packet capture saved

5. Eradication & Recovery

System Remediation (13:45-15:30 EST):

  • ✅ Complete system re-image using Microsoft Deployment Toolkit
  • ✅ Registry cleanup: Removed 4 malicious keys
  • ✅ File removal: Deleted 6 malicious executables
  • ✅ Persistence elimination: Cleared WMI subscriptions and scheduled tasks

Security Control Updates:

  • ✅ Device Control Policy updated: Block all unauthorized USB devices
  • ✅ Windows Defender Application Control enabled for removable media
  • ✅ USB Restricted Mode implemented via Microsoft Intune
  • ✅ Enhanced logging enabled for USB device events

6. Root Cause Analysis

Primary Root Cause:
Insufficient Device Control Policies allowed unsigned USB driver installation despite Group Policy restrictions. The policy exception for “temporary devices” was exploited.

Contributing Factors:

  1. Technical: No hardware-based USB port control on marketing workstations
  2. Process: Inadequate incident response playbook for physical attacks
  3. Human: User susceptibility to social engineering (USB drop attack)
  4. Policy: Delayed security patch deployment for USB vulnerabilities

7. Indicators of Compromise (IoCs)

Host-based IoCs:

text

Files:
- update_scan.exe: SHA256=7a3f9b2c8d1e5f6a...
- cs_beacon.dll: SHA256=9b8c7d6e5f4a3b2c...

Registry Keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update_scan
- HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_0781&PID_55A3

Processes:
- update_scan.exe (PID: 4821)
- powershell.exe -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdw...

Network IoCs:

text

IP Addresses:
- 185.243.115.67:443 (Primary C2)
- 194.165.16.89:80 (Fallback C2)

Domains:
- secure-update[.]online
- flash-driver[.]com

8. Business Impact Assessment

Impact Level: MEDIUM

  • Confidentiality: Low (no data accessed/exfiltrated)
  • Integrity: Low (no system modifications beyond malware installation)
  • Availability: Low (single workstation affected, 6 hours downtime)
  • Reputational: Medium (requires disclosure to marketing clients)

Affected Assets:

  • 1 workstation (MKT-WS-112)
  • 1 user account (jwilson)
  • Marketing department file shares (accessed but not modified)

9. Lessons Learned & Improvements

Immediate Actions (Completed):

  • Update Device Control GPO to block all unsigned USB drivers
  • Implement USB device whitelisting via hardware hashes
  • Deploy CrowdStrike prevention policy for USB execution
  • Conduct security awareness briefing for marketing department

Short-term Improvements (30 days):

  • Implement physical USB port locks for marketing workstations
  • Deploy Microsoft Defender Application Control (WDAC)
  • Create automated IR playbook for T1200 incidents
  • Conduct purple team exercise focusing on hardware attacks

Long-term Enhancements (90 days):

  • Evaluate hardware security modules for USB control
  • Implement zero-trust architecture for endpoint devices
  • Deploy behavioral analytics for physical security events
  • Integrate threat intelligence for USB-based campaigns

10. Resolution Verification

Technical Verification:

  • ✅ CrowdStrike Falcon: Endpoint shows clean bill of health
  • ✅ Splunk SIEM: No further malicious activity detected
  • ✅ Network Monitoring: No outbound connections to IoCs
  • ✅ Vulnerability Scan: No critical vulnerabilities present

Business Verification:

  • ✅ User account restored with MFA enforcement
  • ✅ Workstation fully functional with all applications
  • ✅ No data loss confirmed via DLP logs
  • ✅ Business operations resumed normally

11. Conclusion

This Hardware Additions attack was successfully contained due to robust EDR detection capabilities and rapid SOC response procedures. While the attack demonstrated sophisticated social engineering techniques, our defense-in-depth strategy prevented any data compromise or lateral movement.

Closure Rationale: All malicious artifacts eradicated, security controls enhanced, monitoring improved, and user re-educated. No evidence of persistent threat remains.

Analyst: [Walter White], Senior SOC Analyst
Date: 2024-01-18 17:00 EST
Approval: SOC Manager
References: MITRE ATT&CK T1200, NIST SP 800-53 (PE-3, MP-7), CIS Control 14.6

Leave a Comment