Starting with Windows 10 and Windows Server 2016 you can generate audit events whenever files are written to a removable drive by enabling auditing for the Removable Storage audit subcategory of the Object Access audit category. This will result in 4663 events being generated whenever files are being copied a USB stick.
1. Review & Adjust Auditing
To determine whether removable storage access is being audited, run the following command in an elevated command prompt to see whether "Removable Storage" is set to "Success and Failure" (at least "Success"). If it is then auditing is already enabled, otherwise auditing will need to be adjusted accordingly (ideally via GPO).
AuditPol.exe /get /category:"Object Access"
This audit setting can be found at:
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Advanced Audit Policy Configuration
|_ System Audit Policies
|_ Object Access
|_ "Audit Removable Storage" with "Success" selected.
AuditPol Output example.
See this article on instructions on how to adjust your audit settings.
2. Registry Adjustments
Note: Attached bellow you will find a Windows Batch File that will help to set the correct registry and check the audit policy. The script is also available at GitHub.
Newer Windows 10 builds require a registry value to be present before removable storage auditing is active, as such we recommend simply creating the necessary registry value on all Windows 10 machines:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage, HotPlugSecureOpen = 1 (REG_DWORD)
Unfortunately a reboot is required for this change to become effective. You can either create this values manually (ouch), set it via a GPO or use the EventSentry Admin Assistant.
If step 1 & 2 were implemented correctly on a supported platform, then you should see 4663 events being generated on the host where files are being copied to a USB drive.
3. EventSentry configuration
a) Create a new event log package (if necessary), assign it accordingly. You can use dynamic package assignments to have the package only apply to workstations.
b) Create a new include filter in the event log that looks for 4663 events that with the Removable Storage category as shown in the screenshot below. It's also recommended to filter out read access by only including events that list WriteData or AppendData in the "Accessess" field.
c) If the event is forwarded to an email action then it's recommended to apply a threshold to the filter to prevent too many events from being forwarded to the recipient(s).
EventLog Package configuration.
Removable Drive Audit.
Windows Batch File to set registry key and check audit policy: