Detect Data from Removable Media in CrowdStrike LogScale
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to exfiltration. Threat actors including APT28, Gamaredon Group, and OilRig have leveraged this technique. Malware families such as USBStealer, GravityRAT, Rover, Crimson, Crutch, and BADNEWS implement automated USB harvesting — copying files matching predefined extension lists (documents, credentials, archives) to staging directories for later exfiltration.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1025 Data from Removable Media
- Canonical reference
- https://attack.mitre.org/techniques/T1025/
LogScale Detection Query
// Branch 1: Bulk sensitive file writes to removable media
#event_simpleName = "PeNewExecutableWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "MotionFileStat"
| TargetDirectoryName = /(?i)^[D-Z]:\\/
| TargetDirectoryName != /(?i)^C:\\/
| TargetFileName = /\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$/i
| groupBy([ComputerName, UserName, FileName], function=[
count(aid, as=EventCount),
collect(TargetFileName, limit=10, as=FileList),
collect(TargetDirectoryName, limit=5, as=FolderList),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
])
| EventCount >= 20
| eval Severity = if(EventCount >= 100, "Critical",
if(EventCount >= 50, "High",
if(EventCount >= 20, "Medium", "Low")))
| eval DetectionType = "BulkRemovableMediaAccess"
// Branch 2: Suspicious process accessing removable media
// Run separately or union
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)[D-Z]:\\/
| CommandLine != /(?i)C:\\/
| FileName = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)\.exe$/
| groupBy([ComputerName, UserName, FileName, CommandLine], function=[
count(aid, as=EventCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
])
| EventCount >= 1
| eval DetectionType = "SuspiciousProcessRemovableAccess"
| eval Severity = "High"CrowdStrike LogScale (Falcon) CQL query detecting T1025 data collection from removable media. Branch 1 detects bulk writes of sensitive file types to non-C drive paths using file write events, aggregating by host/user with a 20+ event threshold. Branch 2 detects known suspicious processes (PowerShell, cmd, xcopy, robocopy, etc.) with command lines referencing removable drive letters via ProcessRollup2 events.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon's own USB quarantine or scanning processes writing to removable drives
- IT endpoint management tools (SCCM, Intune) deploying via USB media
- Legitimate user file transfers to USB drives for data portability
- Automated kiosk or conference room systems using USB-based content delivery
Other platforms for T1025
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk File Collection from USB Drive via PowerShell Copy-Item
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ChildItem', 'Copy-Item', and the fake USB path. Sysmon Event ID 11: File Create events for each copied file in the staging directory. DeviceFileEvents: multiple FileRead and FileCreated entries for the extension sweep. DeviceProcessEvents: PowerShell process with copy pipeline command line.
- Test 2Removable Media Enumeration via CMD dir and xcopy
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe and xcopy.exe with command lines showing the target path. Sysmon Event ID 11: File Create events for each file copied to usb_collect. Security Event ID 4688 (with command line auditing enabled) for cmd.exe and xcopy.exe. DeviceFileEvents: xcopy.exe performing FileRead on source and FileCreated on destination.
- Test 3Credential File Targeted Collection from Removable Media
Expected signal: Sysmon Event ID 1: PowerShell process with Get-ChildItem filtering .kdbx/.pfx/.key extensions and Copy-Item to staging. Sysmon Event ID 11: File Create events for .kdbx, .pfx, id_rsa, .key in the staging directory. DeviceFileEvents: FileRead on credential-extension files. The credential-targeted hunting query will match immediately on file extensions.
- Test 4Robocopy Mirroring of Removable Media to Network Share
Expected signal: Sysmon Event ID 1: Process Create for robocopy.exe with source path, destination path, /E /COPYALL flags. Sysmon Event ID 11: File Create events for all mirrored files in staging directory. Sysmon Event ID 11: Log file creation (%TEMP%\robocopy_collection.log). DeviceFileEvents: robocopy.exe FileRead from source and FileCreated at destination.
References (10)
- https://attack.mitre.org/techniques/T1025/
- https://www.welivesecurity.com/2014/11/21/win32-usbstealer-usb-based-espionage-tool/
- https://www.kaspersky.com/blog/kaspersky-security-bulletin-2014-apt-predictions/7105/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reborn/
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-shamoon-2/
- https://blog.talosintelligence.com/gravityrat-two-years-of-evolution/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://securelist.com/project-sauron-remsec/75533/
- https://www.trendmicro.com/en_us/research/17/l/patchwork-continues-deliver-badnews-indian-subcontinent.html
Unlock Pro Content
Get the full detection package for T1025 including response playbook, investigation guide, and atomic red team tests.