From 269d7eafa721a1b5555b35c0b560bb53ad84e646 Mon Sep 17 00:00:00 2001
From: Michael Melone <64156578+mjmelone@users.noreply.github.com>
Date: Fri, 17 Sep 2021 11:23:45 -0400
Subject: [PATCH] Updated to use the new UsbDriveMounted event

---
 Exfiltration/Possible File Copy to USB Drive.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Exfiltration/Possible File Copy to USB Drive.md b/Exfiltration/Possible File Copy to USB Drive.md
index 481d5876..3844d3b6 100644
--- a/Exfiltration/Possible File Copy to USB Drive.md	
+++ b/Exfiltration/Possible File Copy to USB Drive.md	
@@ -13,14 +13,15 @@ let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search
 let TimespanInSeconds = 900; // Period of time between device insertion and file copy
 let Connections =
 DeviceEvents
-| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected"
-| extend parsed = parse_json(AdditionalFields)
-| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)
-| where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device';
+| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "UsbDriveMounted"
+| extend AdditionalFields = parse_json(AdditionalFields)
+| project ConnectionTime = Timestamp, DeviceId, AdditionalFields
+| evaluate bag_unpack(AdditionalFields);
 DeviceFileEvents
 | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\"
 | join kind=inner Connections on DeviceId
 | where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds
+| project Timestamp, DeviceId, DeviceName, FolderPath, SHA1, SHA256, MD5, LoggedOnUsers, ConnectionTime, BusType, Manufacturer, ProductName, ProductRevision, SerialNumber, Volume
 ```
 
 ## Category