H

---

1. EDR Alert Narrative: Unauthorized Hardware Addition

Detection Source: Microsoft Defender for Endpoint (MDE)
Alert ID: INC-2023-0915-T1200
Alert Time: 2023-11-15 14:22:18 UTC
Severity: High (85/100)
MITRE ATT&CK: T1200 – Hardware Additions

Affected Host:

• Hostname: FIN-WS-045
• IP Address: 10.10.45.121
• Department: Finance/Accounts Payable
• User: rbennett (Rachel Bennett)
• Operating System: Windows 10 Enterprise 21H2

Detection Logic:
Microsoft Defender for Endpoint Device Control Policy violation triggered when:

1. Unauthorized USB Mass Storage Device connected without pre-approved hardware hash
2. Device installed drivers from unrecognized publisher
3. Subsequent process creation from removable media within 2 minutes of connection

Alert Details:

text

Event Sequence:
14:20:32 - Unknown USB Device connected (VID: 0781, PID: 5583)
14:20:45 - Driver installation attempted: "Generic Mass Storage Driver"
14:20:58 - Windows Device Installation Policy bypass detected
14:21:15 - AutoRun registry key modification: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
14:21:30 - Process creation: C:\Windows\Temp\USBStorage\temp_update.exe
14:21:45 - Network connection attempted: 185.243.112[.]89:443 (Russia)
14:22:00 - Suspicious PowerShell execution with encoded command
14:22:18 - MDE Alert: "Unauthorized hardware addition with malicious payload"

Device Information:
- USB Vendor ID: 0781 (SanDisk)
- Product ID: 5583 
- Serial Number: 4C530110730123119468 (spoofed)
- Device Name: "SanDisk Cruzer Blade"
- Reported Capacity: 32GB (actual: 16GB with hidden partition)

Threat Intelligence Context:
- IP 185.243.112[.]89 associated with TA505 (Fin7) ransomware operations
- Similar USB drop campaigns observed targeting financial sectors Q3 2023

---

2. SOC Triage and Investigation Methodology

Phase 1: Initial Triage and Validation

Tools: Microsoft Defender for Endpoint, Jira Service Management, Active Directory

1. Alert Verification (14:23-14:30 UTC):
   • Confirmed MDE alert legitimacy via Microsoft 365 Defender portal
   • Verified device control policy violation logs
   • Checked user’s physical location via badge access logs (Finance floor, Cubicle 45B)
2. Immediate Containment Actions:
   • Initiated device network isolation via MDE Automated Response
   • Disabled user’s Active Directory account
   • Blocked malicious IP at firewall (Palo Alto Networks PAN-OS)

Phase 2: Forensic Investigation

Tools: CrowdStrike Falcon, Splunk SIEM, Velociraptor, FTK Imager

3. Endpoint Forensics (14:30-15:15 UTC):
   • Memory Acquisition: Captured RAM using Velociraptor’s memory dump module
   • Disk Imaging: Created forensic image of affected workstation via FTK Imager Agent
   • Process Analysis: Examined temp_update.exe with CrowdStrike Falcon Insight
   • Registry Analysis: Extracted USB device installation artifacts from SYSTEM hive
4. Log Correlation (15:15-15:45 UTC):
   • SIEM Search: Splunk queries for similar USB events across enterprise
   • Network Logs: Checked firewall and proxy logs (Zscaler) for C2 communication
   • Identity Logs: Azure AD sign-in logs for suspicious authentication events
5. Malware Analysis (15:45-16:30 UTC):
   • Static Analysis: VirusTotal API integration for file hash reputation
   • Dynamic Analysis: ANY.RUN sandbox execution of temp_update.exe
   • Payload Analysis: Identified embedded Cobalt Strike beacon in USB firmware

Phase 3: Scope Determination

Tools: Tanium, Microsoft Defender for Identity, Cisco ISE

6. Lateral Movement Assessment:
   • No evidence of network traversal detected
   • User account showed no unusual authentication patterns
   • Endpoint detection rules showed no follow-on exploitation
7. Environmental Impact Analysis:
   • Single workstation compromise confirmed
   • No sensitive data exfiltration detected
   • Finance systems remained uncompromised

---

3. Security Tools Utilization Matrix

---

4. Containment, Eradication & Recovery Actions

Containment Procedures

1. Immediate Network Isolation (14:25 UTC):
   • MDE initiated device quarantine via network location change
   • Cisco ISE policy updated to block switch port access
   • Wireless network association terminated
2. Access Control Enforcement:
   • User account disabled in Active Directory
   • VPN access revoked via Pulse Secure policy
   • Physical access to workspace suspended via badge deactivation

Eradication Measures

3. Malware Removal (16:45-17:30 UTC):
   • Booted workstation from clean Windows PE environment
   • Removed malicious registry entries and scheduled tasks
   • Deleted hidden partition on USB device using diskpart
   • Replaced compromised USB drivers with Microsoft-signed versions
4. Persistence Mechanism Elimination:
   • Cleared AutoRun registry keys
   • Removed malicious LNK files from Startup folder
   • Reset Group Policy settings to enterprise baseline

Recovery and Hardening

5. System Restoration (17:30-18:00 UTC):
   • Re-imaged workstation using Microsoft Deployment Toolkit
   • Applied latest security patches and Windows updates
   • Restored user data from OneDrive backup (verified clean)
6. Policy Enhancements:
   • Updated Device Control GPO to block all removable storage by default
   • Implemented Microsoft Intune compliance policy for USB devices
   • Enabled Windows Defender Application Control (WDAC) for USB executables

---

5. Root Cause Analysis and Lessons Learned

Primary Root Causes

1. Policy Gap: Device Control Policy allowed unsigned USB driver installation
2. User Awareness: Insufficient training on physical security threats
3. Monitoring Gap: USB device events not correlated with process creation alerts

Security Control Improvements

1. Technical Controls:
   • Implement hardware-based USB restrictions via BIOS settings
   • Deploy Microsoft Defender Application Guard for Hardware
   • Enable Windows Defender Exploit Guard USB restrictions
2. Process Improvements:
   • Monthly USB policy compliance audits via Tanium
   • Enhanced physical security awareness training modules
   • Implement “clean desk” policy enforcement for sensitive departments
3. Detection Enhancements:
   • Create Splunk correlation: USB insertion + process creation + network connection
   • Deploy Microsoft Sentinel watchlist for authorized USB devices
   • Implement network segmentation for workstations with USB access requirements

---

6. Incident Metrics and KPIs

• Time to Detect: 2 minutes 46 seconds
• Time to Contain: 7 minutes 12 seconds
• Time to Resolve: 3 hours 38 minutes
• Dwell Time: None (pre-detonation detection)
• Affected Assets: 1 endpoint (0.02% of environment)
• Business Impact: Low (no data loss, minimal downtime)

---

JIRA ANALYST COMMENT

Jira Ticket: SOC-2023-0915
Status: Resolved
Priority: P1 - High
Labels: T1200, hardware-addition, USB-threat, finance-department, EDR-detection
Components: Endpoint-Security, Device-Control, Incident-Response

---

INCIDENT ANALYSIS: UNAUTHORIZED HARDWARE ADDITION (T1200)

1. Incident Summary:
On 15-NOV-2023 at 14:22 UTC, Microsoft Defender for Endpoint detected and blocked a Hardware Additions attack (MITRE ATT&CK T1200) targeting finance workstation FIN-WS-045. An unauthorized USB device with embedded malware was connected, attempting to establish C2 communication with known threat actor infrastructure. The attack was contained pre-detonation with no lateral movement or data compromise.

2. Forensic Findings:

• Attack Vector: Spoofed SanDisk USB device (VID:0781/PID:5583) with malicious firmware
• Payload: temp_update.exe delivering Cobalt Strike beacon variant CS-2023-11-A
• Persistence: Registry AutoRun key modification (HKLM…\Run\USBUpdate)
• C2 Infrastructure: 185.243.112[.]89:443 (Russia, associated with TA505)
• Execution Chain:textUSB Insertion → Driver Installation → AutoRun Execution → temp_update.exe → PowerShell Downloader → Cobalt Strike Beacon → C2 Communication Attempt
• Indicators of Compromise (IOCs):textFile: temp_update.exe (SHA256: a3f4b…) IP: 185.243.112[.]89 Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USBUpdate USB Serial: 4C530110730123119468

3. Investigation Details:

• Scope Analysis: Isolated incident to single endpoint. No evidence of credential theft, lateral movement, or data exfiltration.
• User Interview: User reported finding USB device in parking lot with “Q4 Financial Reports” label (classical baiting technique).
• Threat Intelligence: Campaign matches TA505 “USB Drop” tactics targeting financial sectors during quarter-end.

4. Containment Actions Executed:

1. 14:25 UTC: Device network isolation via MDE Automated Response
2. 14:27 UTC: User account disabled (Active Directory)
3. 14:28 UTC: Malicious IP blocked (Palo Alto Firewall)
4. 14:30 UTC: Physical workspace secured (Facilities notified)
5. 16:45 UTC: Malicious artifacts removed (Forensics team)

5. Root Cause Analysis:

• Primary: Device Control Policy exception allowed unsigned USB drivers
• Contributing:
  • BIOS USB restrictions not enforced on finance workstations
  • Delayed patching for CVE-2023-36802 (Windows USB Driver vulnerability)
  • Insufficient user awareness of physical social engineering threats

6. Remediation Complete:

• Workstation FIN-WS-045 re-imaged and hardened
• User rbennett completed security awareness training
• Device Control GPO updated (Block all unsigned USB drivers)
• BIOS USB restrictions deployed via Microsoft Intune
• New Splunk correlation alert deployed: USB_Insertion_Malicious_Execution
• Finance department USB access now requires managerial approval

7. Resolution Evidence:

• MDE shows workstation clean (last scan: 18:00 UTC)
• Network monitoring confirms no further C2 attempts
• User successfully re-authenticated with MFA (Duo Security)
• All IOCs added to blocklists (Firewall, EDR, DNS filtering)

8. Recommendations for Prevention:

1. Immediate: Enable Windows Defender Application Control for all USB media
2. 30-Day: Implement USB device whitelisting via hardware hash
3. 90-Day: Deploy USB port locks on sensitive department workstations

Closure Justification: All malicious activity contained and eradicated. Compromised system restored with enhanced security controls. Monitoring indicates no persistent threat. Incident documented for future threat hunting exercises.

Next Review: Schedule purple team exercise simulating T1200 attack for Q1 2024.

Analyst: [Your Name], Senior SOC Analyst
Date: 2023-11-15 18:30 UTC
Signature: [Digital Signature/Analyst ID]