T1025 Data from Removable Media Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SensitiveExtensions = dynamic([".doc", ".docx", ".xls", ".xlsx", ".pdf", ".ppt", ".pptx",
  ".txt", ".csv", ".kdbx", ".pfx", ".pem", ".key", ".p12", ".zip", ".rar", ".7z",
  ".bak", ".sql", ".db", ".sqlite", ".conf", ".config", ".xml", ".json"]);
let LookbackWindow = 1h;
let BulkAccessThreshold = 20;
// Branch 1: Bulk file reads from removable media paths
let BulkRemovableAccess =
DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath matches regex @"(?i)^[D-Z]:\\"
| where not(FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\ProgramData", "C:\\Users"))
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| extend FullExt = strcat(".", FileExt)
| where FullExt in (SensitiveExtensions)
| summarize
    FileCount = count(),
    UniqueExtensions = dcount(FileExt),
    FileList = make_set(FileName, 10),
    FolderList = make_set(FolderPath, 5),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= BulkAccessThreshold
| extend DetectionType = "BulkRemovableMediaAccess"
| extend RiskScore = case(
    FileCount >= 100, "Critical",
    FileCount >= 50, "High",
    FileCount >= 20, "Medium",
    "Low");
// Branch 2: Suspicious process accessing removable media paths
let SuspiciousRemovableProcessAccess =
DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath matches regex @"(?i)^[D-Z]:\\"
| where not(FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\ProgramData", "C:\\Users"))
| where InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "python.exe", "python3.exe",
    "xcopy.exe", "robocopy.exe", "forfiles.exe"
    )
    or InitiatingProcessCommandLine has_any ("xcopy", "robocopy", "copy", "Get-ChildItem", "Copy-Item", "dir ")
| summarize
    FileCount = count(),
    FileList = make_set(FileName, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= 5
| extend DetectionType = "SuspiciousProcessRemovableAccess"
| extend RiskScore = "High";
// Union results
BulkRemovableAccess
| project Timestamp=LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, FileCount, FileList, FolderList, DetectionType, RiskScore
| union (
    SuspiciousRemovableProcessAccess
    | project Timestamp=LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
        InitiatingProcessCommandLine, FileCount, FileList, FolderList=dynamic([]), DetectionType, RiskScore
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access File: File Read Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceFileEvents

False Positives

Legitimate backup software (Acronis, Veeam, Windows Backup) reading files from external USB drives or backup volumes assigned non-C: drive letters
Software developers or IT staff intentionally copying project files from USB drives for deployment or archiving
CD/DVD optical drives assigned D: or E: letters accessed for legitimate software installation or media playback
Secondary internal hard drives or partitions assigned drive letters in the D-Z range during normal file access or synchronization
Automated DLP (Data Loss Prevention) agents that perform file scanning on all connected drives as part of policy enforcement

Splunk

spl

index=wineventlog earliest=-1h
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
)
| eval DriveLetter=upper(substr(coalesce(TargetFilename, CommandLine), 1, 2))
| eval IsRemovablePath=if(match(coalesce(TargetFilename, CommandLine), "(?i)^[D-Z]:\\\\"), 1, 0)
| where IsRemovablePath=1
| eval FileExt=lower(replace(coalesce(TargetFilename,""), ".*\.([^.]+)$", ".\1"))
| eval IsSensitiveExt=if(match(FileExt, "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$"), 1, 0)
| eval IsSuspiciousProcess=if(match(lower(coalesce(Image, ParentImage, "")), "(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)"), 1, 0)
| eval EventType=case(EventCode="11" AND IsSensitiveExt=1, "SensitiveFileOnRemovableMedia",
                     EventCode="1" AND IsSuspiciousProcess=1, "SuspiciousProcessAccessingRemovableMedia",
                     true(), "RemovableMediaAccess")
| stats
    count as EventCount,
    dc(TargetFilename) as UniqueFiles,
    values(FileExt) as Extensions,
    values(Image) as Processes,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, User, DriveLetter, EventType, ProcessGuid
| eval BulkAccess=if(UniqueFiles >= 20, 1, 0)
| eval SuspiciousScore=BulkAccess + IsSuspiciousProcess
| where UniqueFiles >= 5 OR EventType="SuspiciousProcessAccessingRemovableMedia"
| eval Severity=case(UniqueFiles >= 100, "Critical", UniqueFiles >= 50, "High", UniqueFiles >= 20, "Medium", true(), "Low")
| table FirstSeen, host, User, DriveLetter, EventType, Processes, UniqueFiles, Extensions, Severity
| sort - UniqueFiles

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents scanning external USB drives as part of scheduled backup jobs
IT staff copying files from USB drives during provisioning, software installation, or data migration
Secondary internal drive volumes assigned non-C: letters accessed during normal file operations
Optical drive media installations (D:) triggering on software EXE/MSI file reads during installs
DLP or endpoint security agents performing file scanning on newly inserted removable media

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=1h
  [file where event.action in ("creation", "overwrite", "rename") and
   file.drive_letter != null and
   file.drive_letter != "C" and
   file.extension in ("doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "kdbx", "pfx", "pem", "key", "p12", "zip", "rar", "7z", "bak", "sql", "db", "sqlite", "conf", "config", "xml", "json")] with runs=20

OR

sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start" and
   process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "python.exe", "xcopy.exe", "robocopy.exe", "forfiles.exe") and
   (
     process.args : ("[D-Z]:\\*") or
     process.command_line : ("*xcopy*", "*robocopy*", "*Copy-Item*", "*Get-ChildItem*")
   )]
  [file where event.action in ("creation", "overwrite") and
   file.drive_letter != null and
   file.drive_letter != "C" and
   file.extension in ("doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "kdbx", "pfx", "pem", "key", "p12", "zip", "rar", "7z", "bak", "sql", "db", "sqlite", "conf", "config", "xml", "json")] with runs=5

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent with file monitoring Windows file auditing via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Backup software legitimately copying documents to external USB drives
IT administrators using robocopy/xcopy for data migration to removable storage
End users deliberately saving work files to USB drives for transport
Automated document management systems archiving to removable media

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "filename" AS FileName,
  "filepath" AS FilePath,
  QIDNAME(qid) AS EventName,
  logsourceid AS LogSourceID,
  COUNT(*) AS EventCount,
  COUNT(DISTINCT "filename") AS UniqueFiles
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 253)
  AND starttime > NOW() - 3600000
  AND (
    -- Sysmon EventID 11: FileCreate on removable drive
    ("EventID" = '11'
     AND REGEXP_MATCHES(COALESCE("TargetFilename", ""), '(?i)^[D-Z]:\\\\')
     AND REGEXP_MATCHES(LOWER(COALESCE("TargetFilename", "")), '\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$')
    )
    OR
    -- Sysmon EventID 1: Process create with suspicious CLI referencing removable drive
    ("EventID" = '1'
     AND REGEXP_MATCHES(LOWER(COALESCE("Image", "")), '(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)')
     AND REGEXP_MATCHES(COALESCE("CommandLine", ""), '(?i)[D-Z]:\\\\')
    )
  )
GROUP BY
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss'),
  sourceip,
  username,
  "filename",
  "filepath",
  QIDNAME(qid),
  logsourceid
HAVING UniqueFiles >= 5
ORDER BY UniqueFiles DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar WinCollect agent Microsoft Windows Sysmon log source (LOGSOURCETYPEID 253)

Required Tables

events

False Positives

Legitimate backup tools writing to external drives (e.g. Windows Backup, Acronis)
Scripted IT processes using xcopy/robocopy for USB-based deployment
End users running PowerShell scripts to export reports to USB
Portable application launchers that run from USB drives

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" earliest=-1h
| where EventID in ("11", "1")
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
| parse field=_raw "<Data Name='ProcessGuid'>*</Data>" as ProcessGuid nodrop
| eval FilePath = if(!isNull(TargetFilename), TargetFilename, CommandLine)
| where matches(FilePath, "(?i)^[D-Z]:\\\\")
| eval FileExt = toLower(replace(TargetFilename, ".*\\.([^.]+)$", ".\$1"))
| eval IsSensitiveExt = if(matches(FileExt, "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$"), 1, 0)
| eval IsSuspiciousProcess = if(matches(toLower(Image), "(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)"), 1, 0)
| eval DetectionType = if(EventID == "11" && IsSensitiveExt == 1, "SensitiveFileOnRemovableMedia",
    if(EventID == "1" && IsSuspiciousProcess == 1, "SuspiciousProcessRemovableAccess", "RemovableMediaAccess"))
| stats
    count as TotalEvents,
    dcount(TargetFilename) as UniqueFiles,
    values(FileExt) as Extensions,
    values(Image) as Processes,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by Computer, User, DetectionType, ProcessGuid
| where UniqueFiles >= 5 or DetectionType = "SuspiciousProcessRemovableAccess"
| eval Severity = if(UniqueFiles >= 100, "Critical",
    if(UniqueFiles >= 50, "High",
    if(UniqueFiles >= 20, "Medium", "Low")))
| fields FirstSeen, LastSeen, Computer, User, DetectionType, Processes, UniqueFiles, Extensions, Severity
| sort by UniqueFiles desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon logs (sourceCategory windows/sysmon) Sumo Logic Installed Collector on Windows endpoints

Required Tables

Sysmon operational log events

False Positives

Backup software (Veeam, Acronis) writing to attached USB storage
IT helpdesk using portable tools on USB drives
Users legitimately exporting documents to USB for offline work
Scripted conference room or kiosk USB setup processes

Google Chronicle / SecOps

yaral

rule t1025_data_from_removable_media {
  meta:
    author = "Detection Engineering"
    description = "Detects bulk access to sensitive files on removable media drives consistent with T1025 — adversary data collection from USB/optical media."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1025"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    // Branch 1: Sensitive file created/modified on removable drive
    $e1.metadata.event_type = "FILE_CREATION"
    $e1.target.file.full_path = /(?i)^[D-Z]:\\/
    $e1.target.file.full_path != /(?i)^C:\\/
    (
      $e1.target.file.full_path = /\.doc$/
      or $e1.target.file.full_path = /\.docx$/
      or $e1.target.file.full_path = /\.xls$/
      or $e1.target.file.full_path = /\.xlsx$/
      or $e1.target.file.full_path = /\.pdf$/
      or $e1.target.file.full_path = /\.ppt$/
      or $e1.target.file.full_path = /\.pptx$/
      or $e1.target.file.full_path = /\.txt$/
      or $e1.target.file.full_path = /\.csv$/
      or $e1.target.file.full_path = /\.kdbx$/
      or $e1.target.file.full_path = /\.pfx$/
      or $e1.target.file.full_path = /\.pem$/
      or $e1.target.file.full_path = /\.key$/
      or $e1.target.file.full_path = /\.p12$/
      or $e1.target.file.full_path = /\.zip$/
      or $e1.target.file.full_path = /\.rar$/
      or $e1.target.file.full_path = /\.7z$/
      or $e1.target.file.full_path = /\.bak$/
      or $e1.target.file.full_path = /\.sql$/
      or $e1.target.file.full_path = /\.db$/
      or $e1.target.file.full_path = /\.sqlite$/
      or $e1.target.file.full_path = /\.conf$/
      or $e1.target.file.full_path = /\.config$/
      or $e1.target.file.full_path = /\.xml$/
      or $e1.target.file.full_path = /\.json$/
    )
    $e1.principal.hostname = $hostname
    $e1.principal.user.userid = $user

  match:
    $hostname, $user over 1h

  outcome:
    $event_count = count_distinct($e1.target.file.full_path)
    $file_paths = array_distinct($e1.target.file.full_path)
    $initiating_process = array_distinct($e1.principal.process.file.full_path)
    $risk_score = if($event_count >= 100, 95,
      if($event_count >= 50, 75,
      if($event_count >= 20, 50, 25)))

  condition:
    #e1 >= 20
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Google Workspace/Chronicle Unified Data Model (UDM) Windows endpoint telemetry forwarded to Chronicle CrowdStrike Falcon or Carbon Black endpoint agents sending to Chronicle

Required Tables

UDM Events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

Automated backup jobs writing to network-attached or USB storage appearing as removable drives
Software installers that extract files to temporary USB-based staging areas
Corporate imaging tools writing OS packages to USB deployment drives
Users bulk-exporting documents to portable drives before travel

CrowdStrike LogScale (CQL)

cql

// Branch 1: Bulk sensitive file writes to removable media
#event_simpleName = "PeNewExecutableWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "MotionFileStat"
| TargetDirectoryName = /(?i)^[D-Z]:\\/
| TargetDirectoryName != /(?i)^C:\\/
| TargetFileName = /\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$/i
| groupBy([ComputerName, UserName, FileName], function=[
    count(aid, as=EventCount),
    collect(TargetFileName, limit=10, as=FileList),
    collect(TargetDirectoryName, limit=5, as=FolderList),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| EventCount >= 20
| eval Severity = if(EventCount >= 100, "Critical",
    if(EventCount >= 50, "High",
    if(EventCount >= 20, "Medium", "Low")))
| eval DetectionType = "BulkRemovableMediaAccess"

// Branch 2: Suspicious process accessing removable media
// Run separately or union
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)[D-Z]:\\/
| CommandLine != /(?i)C:\\/
| FileName = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)\.exe$/
| groupBy([ComputerName, UserName, FileName, CommandLine], function=[
    count(aid, as=EventCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| EventCount >= 1
| eval DetectionType = "SuspiciousProcessRemovableAccess"
| eval Severity = "High"

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) Falcon Insight XDR endpoint telemetry

Required Tables

ProcessRollup2 PeNewExecutableWritten NewExecutableWritten MotionFileStat

False Positives

CrowdStrike Falcon's own USB quarantine or scanning processes writing to removable drives
IT endpoint management tools (SCCM, Intune) deploying via USB media
Legitimate user file transfers to USB drives for data portability
Automated kiosk or conference room systems using USB-based content delivery

Data from Removable Media

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections