title: External Disk Drive Or USB Storage Device
author: Keith Wright
date: 2019/11/20
description: Detects external diskdrives or plugged in USB devices , EventID 6416
  on windows 10 or later
detection:
  SELECTION_1:
    EventID: 6416
  SELECTION_2:
    ClassName: DiskDrive
  SELECTION_3:
    DeviceDescription: USB Mass Storage Device
  condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
falsepositives:
- Legitimate administrative activity
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
level: low
logsource:
  product: windows
  service: security
modified: 2021/08/09
status: experimental
tags:
- attack.t1091
- attack.t1200
- attack.lateral_movement
- attack.initial_access
ruletype: SIGMA