T1025 Microsoft Sentinel · KQL

Detect Data from Removable Media in Microsoft Sentinel

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to exfiltration. Threat actors including APT28, Gamaredon Group, and OilRig have leveraged this technique. Malware families such as USBStealer, GravityRAT, Rover, Crimson, Crutch, and BADNEWS implement automated USB harvesting — copying files matching predefined extension lists (documents, credentials, archives) to staging directories for later exfiltration.

MITRE ATT&CK

Tactic
Collection
Technique
T1025 Data from Removable Media
Canonical reference
https://attack.mitre.org/techniques/T1025/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SensitiveExtensions = dynamic([".doc", ".docx", ".xls", ".xlsx", ".pdf", ".ppt", ".pptx",
  ".txt", ".csv", ".kdbx", ".pfx", ".pem", ".key", ".p12", ".zip", ".rar", ".7z",
  ".bak", ".sql", ".db", ".sqlite", ".conf", ".config", ".xml", ".json"]);
let LookbackWindow = 1h;
let BulkAccessThreshold = 20;
// Branch 1: Bulk file reads from removable media paths
let BulkRemovableAccess =
DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath matches regex @"(?i)^[D-Z]:\\"
| where not(FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\ProgramData", "C:\\Users"))
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| extend FullExt = strcat(".", FileExt)
| where FullExt in (SensitiveExtensions)
| summarize
    FileCount = count(),
    UniqueExtensions = dcount(FileExt),
    FileList = make_set(FileName, 10),
    FolderList = make_set(FolderPath, 5),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= BulkAccessThreshold
| extend DetectionType = "BulkRemovableMediaAccess"
| extend RiskScore = case(
    FileCount >= 100, "Critical",
    FileCount >= 50, "High",
    FileCount >= 20, "Medium",
    "Low");
// Branch 2: Suspicious process accessing removable media paths
let SuspiciousRemovableProcessAccess =
DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath matches regex @"(?i)^[D-Z]:\\"
| where not(FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\ProgramData", "C:\\Users"))
| where InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "python.exe", "python3.exe",
    "xcopy.exe", "robocopy.exe", "forfiles.exe"
    )
    or InitiatingProcessCommandLine has_any ("xcopy", "robocopy", "copy", "Get-ChildItem", "Copy-Item", "dir ")
| summarize
    FileCount = count(),
    FileList = make_set(FileName, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= 5
| extend DetectionType = "SuspiciousProcessRemovableAccess"
| extend RiskScore = "High";
// Union results
BulkRemovableAccess
| project Timestamp=LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, FileCount, FileList, FolderList, DetectionType, RiskScore
| union (
    SuspiciousRemovableProcessAccess
    | project Timestamp=LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
        InitiatingProcessCommandLine, FileCount, FileList, FolderList=dynamic([]), DetectionType, RiskScore
)
| sort by Timestamp desc
high severity medium confidence

Detects data collection from removable media using DeviceFileEvents. Two detection branches: (1) bulk file reads of sensitive extensions from non-C: drive paths meeting a threshold of 20+ files within 1 hour, with risk scoring based on volume; (2) suspicious scripting and copy-utility processes (PowerShell, robocopy, xcopy, forfiles) accessing non-C: drive paths. Drive letter heuristic (D-Z) targets removable/external media while excluding system drive. Sensitive extension list covers documents, credentials, databases, archives, and configuration files commonly targeted by USB stealers.

Data Sources

File: File AccessFile: File ReadMicrosoft Defender for EndpointProcess: Process Creation

Required Tables

DeviceFileEvents

False Positives & Tuning

  • Legitimate backup software (Acronis, Veeam, Windows Backup) reading files from external USB drives or backup volumes assigned non-C: drive letters
  • Software developers or IT staff intentionally copying project files from USB drives for deployment or archiving
  • CD/DVD optical drives assigned D: or E: letters accessed for legitimate software installation or media playback
  • Secondary internal hard drives or partitions assigned drive letters in the D-Z range during normal file access or synchronization
  • Automated DLP (Data Loss Prevention) agents that perform file scanning on all connected drives as part of policy enforcement
Download portable Sigma rule (.yml)

Other platforms for T1025

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk File Collection from USB Drive via PowerShell Copy-Item

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ChildItem', 'Copy-Item', and the fake USB path. Sysmon Event ID 11: File Create events for each copied file in the staging directory. DeviceFileEvents: multiple FileRead and FileCreated entries for the extension sweep. DeviceProcessEvents: PowerShell process with copy pipeline command line.

  2. Test 2Removable Media Enumeration via CMD dir and xcopy

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe and xcopy.exe with command lines showing the target path. Sysmon Event ID 11: File Create events for each file copied to usb_collect. Security Event ID 4688 (with command line auditing enabled) for cmd.exe and xcopy.exe. DeviceFileEvents: xcopy.exe performing FileRead on source and FileCreated on destination.

  3. Test 3Credential File Targeted Collection from Removable Media

    Expected signal: Sysmon Event ID 1: PowerShell process with Get-ChildItem filtering .kdbx/.pfx/.key extensions and Copy-Item to staging. Sysmon Event ID 11: File Create events for .kdbx, .pfx, id_rsa, .key in the staging directory. DeviceFileEvents: FileRead on credential-extension files. The credential-targeted hunting query will match immediately on file extensions.

  4. Test 4Robocopy Mirroring of Removable Media to Network Share

    Expected signal: Sysmon Event ID 1: Process Create for robocopy.exe with source path, destination path, /E /COPYALL flags. Sysmon Event ID 11: File Create events for all mirrored files in staging directory. Sysmon Event ID 11: Log file creation (%TEMP%\robocopy_collection.log). DeviceFileEvents: robocopy.exe FileRead from source and FileCreated at destination.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1025 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1091Replication Through Removable MediaT1119Automated CollectionT1074.001Local Data StagingT1560.001Archive via UtilityT1041Exfiltration Over C2 ChannelT1052.001Exfiltration over USBT1005Data from Local SystemT1039Data from Network Shared DriveT1057Process Discovery

Same Tactic: Collection

Popular Detections