Description: USB audit.
What The Data Shows: Query to collect the name, serial number, and last modified time for all USB storage devices that have been attached to an endpoint.
SQL:
SELECT r2.data AS "Friendly Name", r1.name AS "Serial Number",
DATETIME(r2.mtime, 'unixepoch', 'localtime') AS 'Key Last Modified'
FROM registry r1
JOIN registry r2 ON r1.path = r2.key
WHERE r1.key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\%"
AND r2.name = "FriendlyName";
#CarbonBlack#IncidentResponse#HelpDeskOperations#ITHygiene#Compliance#Windows