ForeScout Alert Details
Alert ID: FORESCOUT-HW-ADD-7842
Alert Time: 2024-02-11 13:45:22 EST
Severity: HIGH (82/100)
Source: ForeScout CounterACT
Rule: “Unauthorized USB Device – BadUSB Characteristics”
MITRE ATT&CK: T1200 – Hardware Additions
Alert Details:
Device Detection:
– Host: RND-WS-056 (Research & Development)
– User: cpark (Chris Park, Research Scientist)
– Time: 13:42 EST
– USB Port: Front panel
USB Device Details:
– Vendor ID: 0781 (SanDisk)
– Product ID: 5583
– Serial: 4C530110730123119471 (spoofed/invalid)
– Reported Name: “SanDisk Ultra Fit”
– Reported Capacity: 32GB
– Actual Capacity: 16GB (hidden partition detected)
Anomaly Detection:
– Device Type: Mass Storage + HID Keyboard composite device
– HID Keyboard capability: Can emulate keystrokes (BadUSB)
– Driver Signature: Unsigned (violates policy)
– First connection: Never seen before in environment
– Policy Violation: Unauthorized USB device with HID capabilities
Additional Context:
– R&D department has strict USB policies
– User has no approved USB device exception
– Device connected immediately after user returned from lunch
– Building access logs: User badge used at 13:30 (return from lunch)
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify ForeScout alert | ForeScout Console | Confirmed unauthorized USB with HID capabilities |
| 2. Immediate Containment | Disable USB port remotely | ForeScout, Network Access Control | USB port disabled; host quarantined |
| 3. Physical Security | Dispatch security to user location | Security Team, Badge Logs | User located; USB device confiscated |
| 4. Endpoint Scan | Check for malware execution | CrowdStrike Falcon | No evidence of keystroke injection or malware |
| 5. User Interview | Interview user about device | HR, Security | User found device in parking lot; plugged in to “see what was on it” |
| 6. Device Analysis | Forensically examine USB | FTK Imager, Sandbox | Device contains BadUSB firmware; hidden partition with payloads |
Jira Incident Report
Ticket: SOC-2024-060
Summary: T1200 – Hardware Additions – BadUSB Device Connected in R&D
Status: RESOLVED
Resolution: MALICIOUS – Device Confiscated, No Compromise
Priority: P1 – HIGH
Labels: T1200, hardware-additions, badusb, removable-media, forescout, r&d
Components: Endpoint-Security, Physical-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: ForeScout CounterACT (NAC + Device Control).
- Alert: “Unauthorized USB Device – BadUSB Characteristics”.
- Host: RND-WS-056 (R&D Department, user cpark).
- Time: 2024-02-11 13:45 EST.
- Technique: MITRE ATT&CK T1200 – Hardware Additions.
2. Technical Analysis:
- Device Details:
- Physical Appearance: SanDisk Ultra Fit (spoofed)
- Actual Function: BadUSB device with HID keyboard emulation
- Vendor/Product ID: Spoofed legitimate SanDisk IDs
- Serial Number: Invalid (manufacturer-reserved range)
- Partitions: Visible 16GB + Hidden 16GB (encrypted)
- Capabilities:
- Can emulate keyboard to inject keystrokes
- Hidden partition contains:
- PowerShell reverse shell scripts
- Keylogger installer
- Cobalt Strike beacon (packed)
- Auto-run functionality disabled by policy
- User Actions:
- User found device in parking lot at 13:25
- Returned to desk at 13:30
- Plugged in device at 13:42
- ForeScout detected and blocked immediately
- No keystroke injection occurred (policy blocked HID)
- Endpoint Status:
- CrowdStrike scan: No malware execution
- No registry changes
- No persistence installed
3. Investigation Findings:
- Timeline:
13:25 – User finds USB in parking lot
13:30 – User returns to desk
13:42 – User plugs in USB
13:42 – ForeScout detects unauthorized device
13:45 – ForeScout alert generated
13:46 – SOC investigation begins
13:47 – USB port disabled remotely
13:50 – Security dispatched
13:55 – Device confiscated
- Indicators of Compromise (IoCs):
USB Device:
– VID: 0781, PID: 5583 (spoofed)
– Serial: 4C530110730123119471
– Name: “SanDisk Ultra Fit”
Files on Hidden Partition:
– inject.exe (SHA256: a1b2c3…)
– keylogger.dll (SHA256: d4e5f6…)
– beacon.bin (SHA256: g7h8i9…)
4. Containment Actions:
- Immediate Actions (13:45-13:55 EST):
- USB port disabled via ForeScout policy.
- Host quarantined from network.
- Device confiscated by security.
- User interviewed; HR notified.
- Endpoint Remediation:
- Full scan with CrowdStrike (clean).
- No reimage needed (no execution).
- Policy Update:
- Immediate reminder to all employees about USB security.
- Enhanced physical security patrols in parking areas.
5. Root Cause Analysis:
- Primary Cause: User plugged in unknown USB device found in parking lot.
- Contributing Factors:
- Curiosity overcame security training.
- No physical security controls in parking lot.
- Device designed to look legitimate.
6. Business Impact:
- Operational Impact: R&D workstation offline for 2 hours.
- Data Exposure: None (device blocked before execution).
- Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Device confiscated and analyzed.
User disciplined and re-trained.
Policy reminder sent company-wide.
Technical Controls Enhanced:
ForeScout policy updated to block all HID-capable USB devices.
Enabled Windows Defender Device Control to block unauthorized VID/PID combinations.
Added USB awareness to quarterly security training.
8. Conclusion:
This incident involved a BadUSB device planted in the parking lot and connected by an employee. ForeScout’s device control detected the unauthorized HID-capable device and blocked it before any keystroke injection could occur. No compromise resulted.
Closure Rationale: Device confiscated; user educated; technical controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 15:30 EST