Detect Data from Removable Media in Sumo Logic CSE
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to exfiltration. Threat actors including APT28, Gamaredon Group, and OilRig have leveraged this technique. Malware families such as USBStealer, GravityRAT, Rover, Crimson, Crutch, and BADNEWS implement automated USB harvesting — copying files matching predefined extension lists (documents, credentials, archives) to staging directories for later exfiltration.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1025 Data from Removable Media
- Canonical reference
- https://attack.mitre.org/techniques/T1025/
Sumo Detection Query
_sourceCategory="windows/sysmon" earliest=-1h
| where EventID in ("11", "1")
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
| parse field=_raw "<Data Name='ProcessGuid'>*</Data>" as ProcessGuid nodrop
| eval FilePath = if(!isNull(TargetFilename), TargetFilename, CommandLine)
| where matches(FilePath, "(?i)^[D-Z]:\\\\")
| eval FileExt = toLower(replace(TargetFilename, ".*\\.([^.]+)$", ".\$1"))
| eval IsSensitiveExt = if(matches(FileExt, "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|kdbx|pfx|pem|key|p12|zip|rar|7z|bak|sql|db|sqlite|conf|config|xml|json)$"), 1, 0)
| eval IsSuspiciousProcess = if(matches(toLower(Image), "(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|python|xcopy|robocopy|forfiles)"), 1, 0)
| eval DetectionType = if(EventID == "11" && IsSensitiveExt == 1, "SensitiveFileOnRemovableMedia",
if(EventID == "1" && IsSuspiciousProcess == 1, "SuspiciousProcessRemovableAccess", "RemovableMediaAccess"))
| stats
count as TotalEvents,
dcount(TargetFilename) as UniqueFiles,
values(FileExt) as Extensions,
values(Image) as Processes,
min(_messageTime) as FirstSeen,
max(_messageTime) as LastSeen
by Computer, User, DetectionType, ProcessGuid
| where UniqueFiles >= 5 or DetectionType = "SuspiciousProcessRemovableAccess"
| eval Severity = if(UniqueFiles >= 100, "Critical",
if(UniqueFiles >= 50, "High",
if(UniqueFiles >= 20, "Medium", "Low")))
| fields FirstSeen, LastSeen, Computer, User, DetectionType, Processes, UniqueFiles, Extensions, Severity
| sort by UniqueFiles descSumo Logic query for T1025 detection using Windows Sysmon logs. Parses EventID 11 (FileCreate) for sensitive file extensions on removable drive letters (D-Z) and EventID 1 (ProcessCreate) for suspicious processes referencing removable paths. Aggregates by host/user/process with thresholds matching the reference KQL/SPL detections.
Data Sources
Required Tables
False Positives & Tuning
- Backup software (Veeam, Acronis) writing to attached USB storage
- IT helpdesk using portable tools on USB drives
- Users legitimately exporting documents to USB for offline work
- Scripted conference room or kiosk USB setup processes
Other platforms for T1025
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk File Collection from USB Drive via PowerShell Copy-Item
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ChildItem', 'Copy-Item', and the fake USB path. Sysmon Event ID 11: File Create events for each copied file in the staging directory. DeviceFileEvents: multiple FileRead and FileCreated entries for the extension sweep. DeviceProcessEvents: PowerShell process with copy pipeline command line.
- Test 2Removable Media Enumeration via CMD dir and xcopy
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe and xcopy.exe with command lines showing the target path. Sysmon Event ID 11: File Create events for each file copied to usb_collect. Security Event ID 4688 (with command line auditing enabled) for cmd.exe and xcopy.exe. DeviceFileEvents: xcopy.exe performing FileRead on source and FileCreated on destination.
- Test 3Credential File Targeted Collection from Removable Media
Expected signal: Sysmon Event ID 1: PowerShell process with Get-ChildItem filtering .kdbx/.pfx/.key extensions and Copy-Item to staging. Sysmon Event ID 11: File Create events for .kdbx, .pfx, id_rsa, .key in the staging directory. DeviceFileEvents: FileRead on credential-extension files. The credential-targeted hunting query will match immediately on file extensions.
- Test 4Robocopy Mirroring of Removable Media to Network Share
Expected signal: Sysmon Event ID 1: Process Create for robocopy.exe with source path, destination path, /E /COPYALL flags. Sysmon Event ID 11: File Create events for all mirrored files in staging directory. Sysmon Event ID 11: Log file creation (%TEMP%\robocopy_collection.log). DeviceFileEvents: robocopy.exe FileRead from source and FileCreated at destination.
References (10)
- https://attack.mitre.org/techniques/T1025/
- https://www.welivesecurity.com/2014/11/21/win32-usbstealer-usb-based-espionage-tool/
- https://www.kaspersky.com/blog/kaspersky-security-bulletin-2014-apt-predictions/7105/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reborn/
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-shamoon-2/
- https://blog.talosintelligence.com/gravityrat-two-years-of-evolution/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://securelist.com/project-sauron-remsec/75533/
- https://www.trendmicro.com/en_us/research/17/l/patchwork-continues-deliver-badnews-indian-subcontinent.html
Unlock Pro Content
Get the full detection package for T1025 including response playbook, investigation guide, and atomic red team tests.