USB connections are a commonly used method for transferring data between computers and other electronic devices. In Windows, the use of USB connections can affect the registry in several ways, including within the registry are the USB, USBSTOR and MountPoints keys. In this post, we'll explore the connection between USB Mountpoints and the setupapi.dev.log, and provide examples of both normal and malicious use cases.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
- Name
- Brand
- Rev
- Driver Version / Date / Provider
- Serial Number*
- If there is no SN, these are generated by the OS to avoid tracking issues.
Inspection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Looking at H as a reference based on our example. We can see that there is similar Hex under two spots. This device does have two mounted volumes under F and H. Decrypting the Hex will provide us with similar string above which shows which device was last connected to this letter. This happens to be the device we are looking into. If you have a USB to compare, this will be very useful. Or you now have information to help you find the specific device.
Normal Behavior
In a normal use case scenario, a user connects a USB mass storage device to their computer and transfers data between the computer and the device. The USBSTOR key is updated with an entry for the device, and the MountPoints key is updated with an entry for the drive letter assigned to the device. The setupapi.dev.log records information about the installation of the USBSTOR and MountPoints registry keys, providing a record of the device and its usage.
Malicious Purposes
In a malicious use case scenario, an attacker could use a USB mass storage device to transfer malware to a computer. The USBSTOR and MountPoints keys would be updated with entries for the device, and the setupapi.dev.log would record information about the installation of the registry keys. The malware could then use the entries in the USBSTOR and MountPoints keys to execute malicious code on the computer, potentially compromising sensitive information or damaging the system.
Post a Comment