漏洞描述
Checks if USB storage devices are allowed, potentially introducing security risks through external devices.
usb-storage-not-restricted: USB Storage Devices Not Restricted
PoC代码[已公开]
id: usb-storage-not-restricted
info:
name: USB Storage Devices Not Restricted
author: princechaddha
severity: medium
description: Checks if USB storage devices are allowed, potentially introducing security risks through external devices.
impact: |
Allowing unrestricted USB storage access increases the risk of data exfiltration or malware introduction via external devices.
remediation: |
Restrict the use of USB storage devices to protect the system from external threats.
tags: windows,usb,storage,code,windows-audit
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name 'Start'
matchers:
- type: word
words:
- "Start : 4"
# digest: 490a00463044022037141ee14d19a1478cef9c5524525a2161230c3d7f40304c08f2818b8d99b7300220664185ef545ed01934051ae565ff212bfaea34c83af057872ef316a3b00de439:922c64590222798bb761d5b6d8e72950