Sigma rules for CVE-2011-3045
11 rules · scoped to cve · back to CVE-2011-3045
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
- attack.initial-access
- attack.persistence
- attack.t1133
logsource:
category: registry_set
product: windows
detection:
chrome_ext:
TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
TargetObject|endswith: 'update_url'
chrome_vpn:
TargetObject|contains:
- fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
- fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
- bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
- gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
- jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
- gjknjjomckknofjidppipffbpoekiipm # VPN Free
- nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
- kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
- nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
- omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
- bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
- mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
- jljopmgdobloagejpohpldgkiellmfnc # PP VPN
- lochiccbgeohimldjooaakjllnafhaid # IP Unblock
- nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
- ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
- namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
- nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
- majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
- lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
- eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
- cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
- foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
- hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
- jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
- inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
- higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
- hipncndjamdcmphkgngojegjblibadbe # RusVPN
- iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
- nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
- jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
- fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
- ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
- keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
- hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
- poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
- dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
- kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
- klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
- lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
- pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
- jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
- jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
- hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
- ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
- kcndmbbelllkmioekdagahekgimemejo # VPN.AC
- jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
- bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
- ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
- oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
- bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
- knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
- dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
- jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
- mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
- omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
- npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
- akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
- gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
- aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
- cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
- ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
- ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
- jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
- apcfdffemoinopelidncddjbhkiblecc # Soul VPN
- mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
- oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
- plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
- mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
- bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
- aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
- lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
- knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
- bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
- edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
- eidnihaadmmancegllknfbliaijfmkgo # Push VPN
- ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
- macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
- chioafkonnhbpajpengbalkececleldf # BullVPN
- amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
- llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
- pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
- iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
- igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
- njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
- ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
- kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
- bnijmipndnicefcdbhgcjoognndbgkep # Veee
- lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
- dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
- egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
- ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
- bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
- almalgbpmcfpdaopimbdchdliminoign # Urban Shield
- akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
- gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
- bniikohfmajhdcffljgfeiklcbgffppl # Upnet
- lejgfmmlngaigdmmikblappdafcmkndb # uVPN
- ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
- gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
- pooljnboifbodgifngpppfklhifechoe # GeoProxy
- fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
- aakchaleigkohafkfjfjbblobjifikek # ProxFlow
- dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
- padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
- bfidboloedlamgdmenmlbipfnccokknp # PureVPN
condition: all of chrome_*
falsepositives:
- Unknown
level: high
title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
- https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\chrome_frame_helper.dll'
filter_main_path:
ImageLoaded|startswith:
- 'C:\Program Files\Google\Chrome\Application\'
- 'C:\Program Files (x86)\Google\Chrome\Application\'
filter_optional_user_path:
ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: 'protected_storage'
condition: selection
falsepositives:
- Unknown
level: high
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
status: test
description: Detects when storage bucket is modified or deleted in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
falsepositives:
- Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
title: Write Protect For Storage Disabled
id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
status: test
description: |
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
references:
- https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
author: Sreeman
date: 2021-06-11
modified: 2024-01-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control'
- 'Write Protection'
- '0'
- 'storage'
condition: selection
falsepositives:
- Unknown
level: medium
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
status: test
description: Detects when storage bucket is enumerated in Google Cloud.
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
- attack.discovery
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
falsepositives:
- Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
This behavior is often commonly observed in credential stealing malware.
references:
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1555.003
- attack.discovery
- attack.t1217
logsource:
category: file_access
product: windows
detection:
selection_browser_paths:
FileName|contains:
- '\Sputnik\Sputnik'
- '\MapleStudio\ChromePlus'
- '\QIP Surf'
- '\BlackHawk'
- '\7Star\7Star'
- '\CatalinaGroup\Citrio'
- '\Google\Chrome'
- '\Coowon\Coowon'
- '\CocCoc\Browser'
- '\uCozMedia\Uran'
- '\Tencent\QQBrowser'
- '\Orbitum'
- '\Slimjet'
- '\Iridium'
- '\Vivaldi'
- '\Chromium'
- '\GhostBrowser'
- '\CentBrowser'
- '\Xvast'
- '\Chedot'
- '\SuperBird'
- '\360Browser\Browser'
- '\360Chrome\Chrome'
- '\Comodo\Dragon'
- '\BraveSoftware\Brave-Browser'
- '\Torch'
- '\UCBrowser\'
- '\Blisk'
- '\Epic Privacy Browser'
- '\Nichrome'
- '\Amigo'
- '\Kometa'
- '\Xpom'
- '\Microsoft\Edge'
- '\Liebao7Default\EncryptedStorage'
- '\AVAST Software\Browser'
- '\Kinza'
- '\Mozilla\SeaMonkey\'
- '\Comodo\IceDragon\'
- '\8pecxstudios\Cyberfox\'
- '\FlashPeak\SlimBrowser\'
- '\Moonchild Productions\Pale Moon\'
selection_browser_subpaths:
FileName|contains:
- '\Profiles\'
- '\User Data'
selection_cred_files:
- FileName|contains:
- '\Login Data'
- '\Cookies'
- '\EncryptedStorage'
- '\WebCache\'
- FileName|endswith:
- 'cert9.db'
- 'cookies.sqlite'
- 'formhistory.sqlite'
- 'key3.db'
- 'key4.db'
- 'Login Data.sqlite'
- 'logins.json'
- 'places.sqlite'
filter_main_img:
Image|endswith:
- '\Sputnik.exe'
- '\ChromePlus.exe'
- '\QIP Surf.exe'
- '\BlackHawk.exe'
- '\7Star.exe'
- '\Sleipnir5.exe'
- '\Citrio.exe'
- '\Chrome SxS.exe'
- '\Chrome.exe'
- '\Coowon.exe'
- '\CocCocBrowser.exe'
- '\Uran.exe'
- '\QQBrowser.exe'
- '\Orbitum.exe'
- '\Slimjet.exe'
- '\Iridium.exe'
- '\Vivaldi.exe'
- '\Chromium.exe'
- '\GhostBrowser.exe'
- '\CentBrowser.exe'
- '\Xvast.exe'
- '\Chedot.exe'
- '\SuperBird.exe'
- '\360Browser.exe'
- '\360Chrome.exe'
- '\dragon.exe'
- '\brave.exe'
- '\torch.exe'
- '\UCBrowser.exe'
- '\BliskBrowser.exe'
- '\Epic Privacy Browser.exe'
- '\nichrome.exe'
- '\AmigoBrowser.exe'
- '\KometaBrowser.exe'
- '\XpomBrowser.exe'
- '\msedge.exe'
- '\LiebaoBrowser.exe'
- '\AvastBrowser.exe'
- '\Kinza.exe'
- '\seamonkey.exe'
- '\icedragon.exe'
- '\cyberfox.exe'
- '\SlimBrowser.exe'
- '\palemoon.exe'
filter_main_path:
Image|contains:
- '\Sputnik\'
- '\MapleStudio\'
- '\QIP Surf\'
- '\BlackHawk\'
- '\7Star\'
- '\Fenrir Inc\'
- '\CatalinaGroup\'
- '\Google\'
- '\Coowon\'
- '\CocCoc\'
- '\uCozMedia\'
- '\Tencent\'
- '\Orbitum\'
- '\Slimjet\'
- '\Iridium\'
- '\Vivaldi\'
- '\Chromium\'
- '\GhostBrowser\'
- '\CentBrowser\'
- '\Xvast\'
- '\Chedot\'
- '\SuperBird\'
- '\360Browser\'
- '\360Chrome\'
- '\Comodo\'
- '\BraveSoftware\'
- '\Torch\'
- '\UCBrowser\'
- '\Blisk\'
- '\Epic Privacy Browser\'
- '\Nichrome\'
- '\Amigo\'
- '\Kometa\'
- '\Xpom\'
- '\Microsoft\'
- '\Liebao7\'
- '\AVAST Software\'
- '\Kinza\'
- '\Mozilla\'
- '\8pecxstudios\'
- '\FlashPeak\'
- '\Moonchild Productions\'
filter_main_system:
Image: System
ParentImage: Idle
filter_main_generic:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|contains: '\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_msiexec:
ParentImage: 'C:\Windows\System32\msiexec.exe'
filter_optional_other:
Image|endswith: '\everything.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Legitimate software accessing browser data for synchronization or backup purposes.
- Legitimate software installed on partitions other than "C:\"
level: low
title: External Disk Drive Or USB Storage Device Was Recognized By The System
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
status: test
description: Detects external disk drives or plugged-in USB devices.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
author: Keith Wright
date: 2019-11-20
modified: 2024-02-09
tags:
- attack.t1091
- attack.t1200
- attack.lateral-movement
- attack.initial-access
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 6416
selection_field:
- ClassName: 'DiskDrive'
- DeviceDescription: 'USB Mass Storage Device'
condition: all of selection_*
falsepositives:
- Likely
level: low