T1052 Exfiltration Over Physical Medium Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SensitiveExtensions = dynamic(["zip", "rar", "7z", "tar", "gz", "docx", "doc", "xlsx", "xls", "pdf", "pst", "ost", "db", "sql", "bak", "key", "pfx", "p12", "rdp", "kdbx", "csv", "json", "xml", "eml", "mdb", "accdb"]);
// Detect USB/removable media mount events in MDE
let UsbMountEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMounted"
| extend DriveLetter = toupper(tostring(parse_json(AdditionalFields).DriveLetter))
| extend SerialNumber = tostring(parse_json(AdditionalFields).SerialNumber)
| project MountTime=Timestamp, DeviceName, AccountName, DriveLetter, SerialNumber;
// Detect file writes to removable drive letters following a USB mount
let RemovableFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| extend DriveLetter = toupper(substring(FolderPath, 0, 2))
| where DriveLetter matches regex @"^[D-Z]:$"
| extend FileExtension = tolower(tostring(split(FileName, ".")[-1]))
| summarize
    FileCount = count(),
    SensitiveFileCount = countif(FileExtension in (SensitiveExtensions)),
    TotalFileSizeMB = round(sum(FileSize) / 1048576.0, 2),
    UniqueExtensions = make_set(FileExtension, 20),
    SampleFiles = make_set(FileName, 5),
    FirstWrite = min(Timestamp),
    LastWrite = max(Timestamp)
  by DeviceName, AccountName, DriveLetter;
// Correlate USB mounts with subsequent file write activity on the same drive
UsbMountEvents
| join kind=inner RemovableFileWrites on DeviceName, DriveLetter
| where FirstWrite >= MountTime
| where FileCount > 5 or SensitiveFileCount > 0 or TotalFileSizeMB > 10
| extend ExfiltrationRisk = case(
    SensitiveFileCount > 10 or TotalFileSizeMB > 500, "Critical",
    SensitiveFileCount > 2 or TotalFileSizeMB > 50, "High",
    SensitiveFileCount > 0 or TotalFileSizeMB > 10, "Medium",
    FileCount > 50, "Low",
    "Low"
  )
| project MountTime, DeviceName, AccountName, DriveLetter, SerialNumber,
          FileCount, SensitiveFileCount, TotalFileSizeMB, UniqueExtensions,
          SampleFiles, FirstWrite, LastWrite, ExfiltrationRisk
| sort by TotalFileSizeMB desc

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Access File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceFileEvents

False Positives

IT administrators performing legitimate data backups to external drives as part of scheduled maintenance procedures
Employees transferring personal files to USB drives at the end of their workday for personal use (common without DLP policy enforcement)
Software developers deploying compiled builds or configuration files to USB drives for air-gapped test environments
Help desk technicians using bootable USB drives (Ventoy, Rufus) that trigger mount events and may include file operations during imaging workflows
Authorized data migration projects where large volumes of files are moved to external media under change management

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| eval DriveLetter=upper(substr(TargetFilename, 1, 2))
| where match(DriveLetter, "^[D-Z]:$")
| eval FileExt=lower(mvindex(split(TargetFilename, "."), -1))
| eval IsSensitive=if(match(FileExt, "^(zip|rar|7z|tar|gz|docx?|xlsx?|pdf|pst|ost|db|sql|bak|key|pfx|p12|rdp|kdbx|csv|json|xml|eml|mdb|accdb)$"), 1, 0)
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| eval IsKnownExfilTool=if(match(lower(ProcessName), "^(xcopy|robocopy|7z|winzip|winrar|rclone|rsync|cp|dd)\.exe$"), 1, 0)
| bucket _time span=1h
| stats
    count as FileWriteCount,
    sum(IsSensitive) as SensitiveFileCount,
    sum(IsKnownExfilTool) as ExfilToolEvents,
    dc(FileExt) as UniqueExtensions,
    dc(Image) as UniqueProcesses,
    values(eval(if(IsSensitive=1, TargetFilename, null()))) as SensitiveFiles,
    values(Image) as WritingProcesses,
    earliest(_time) as FirstWrite,
    latest(_time) as LastWrite
  by _time, host, User, DriveLetter
| where FileWriteCount > 5 OR SensitiveFileCount > 0 OR ExfilToolEvents > 0
| eval RiskScore=(SensitiveFileCount * 5) + (ExfilToolEvents * 3) + FileWriteCount
| eval RiskTier=case(
    RiskScore >= 50, "Critical",
    RiskScore >= 20, "High",
    RiskScore >= 10, "Medium",
    true(), "Low"
  )
| sort - RiskScore
| table _time, host, User, DriveLetter, FileWriteCount, SensitiveFileCount, ExfilToolEvents, UniqueExtensions, WritingProcesses, SensitiveFiles, FirstWrite, LastWrite, RiskScore, RiskTier

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators performing legitimate data backups to external drives as part of scheduled maintenance procedures
Employees transferring personal files to USB drives at the end of their workday for personal use
Software developers deploying compiled builds or configuration files to USB drives for air-gapped test environments
Help desk technicians using bootable USB drives (Ventoy, Rufus) triggering file write events during OS imaging
Authorized data migration projects transferring large volumes under change management

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=1h
  [file where event.action in ("creation", "overwrite") and
   file.path regex~ "[D-Z]:\\\\.*" and
   file.extension in~ ("zip", "rar", "7z", "tar", "gz", "docx", "doc", "xlsx", "xls", "pdf", "pst", "ost", "db", "sql", "bak", "key", "pfx", "p12", "rdp", "kdbx", "csv", "json", "xml", "eml", "mdb", "accdb")]
  [file where event.action in ("creation", "overwrite") and
   file.path regex~ "[D-Z]:\\\\.*"
   ] with runs=5

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent file monitoring

Required Tables

logs-endpoint.events.file-* winlogbeat-*

False Positives

IT administrators performing authorized data backups to external USB drives as part of disaster recovery procedures
Developers copying build artifacts or project files to external drives for approved offline work
HR or finance staff transferring approved payroll or reporting files to encrypted USB drives per policy

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "FILENAME" AS FileName,
  "FILEPATH" AS FilePath,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  COUNT(*) AS FileWriteCount,
  SUM(CASE WHEN LOWER(SUBSTRING("FILENAME", LENGTH("FILENAME") - LOCATE('.', REVERSE("FILENAME")) + 2, LENGTH("FILENAME"))) IN ('zip','rar','7z','tar','gz','docx','doc','xlsx','xls','pdf','pst','ost','db','sql','bak','key','pfx','p12','rdp','kdbx','csv','json','xml','eml','mdb','accdb') THEN 1 ELSE 0 END) AS SensitiveFileCount
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 13, 260)
  AND QIDNAME(qid) ILIKE '%file%create%'
  AND ("FILEPATH" ILIKE 'D:%' OR "FILEPATH" ILIKE 'E:%' OR "FILEPATH" ILIKE 'F:%' OR "FILEPATH" ILIKE 'G:%' OR "FILEPATH" ILIKE 'H:%')
  AND LAST 24 HOURS
GROUP BY
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH'),
  sourceip,
  username,
  SUBSTRING("FILEPATH", 1, 2)
HAVING FileWriteCount > 5 OR SensitiveFileCount > 0
ORDER BY SensitiveFileCount DESC, FileWriteCount DESC

high severity medium confidence

Data Sources

Microsoft Sysmon (QRadar DSM) Windows Security Event Log IBM QRadar Endpoint Activity

Required Tables

events

False Positives

Scheduled backup jobs writing to an external drive mapped as D: or E: by backup software such as Acronis or Veeam
Contractors using encrypted USB keys for approved document transport under data handling agreements
Software developers using external drives as secondary storage for large build caches or VM images

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 11 or EventID = 11
| parse field=TargetFilename "*" as FilePath nodrop
| parse field=ObjectName "*" as FilePath2 nodrop
| if (isEmpty(FilePath), FilePath2, FilePath) as FullPath
| where FullPath matches /^[D-Zd-z]:\\.*/
| extract field=FullPath "(?<DriveLetter>^[A-Za-z]:)"
| toUpperCase(DriveLetter) as DriveLetter
| extract field=FullPath "(?i)\.(?<FileExt>[a-z0-9]+)$"
| toLowerCase(FileExt) as FileExt
| if (FileExt in ("zip","rar","7z","tar","gz","docx","doc","xlsx","xls","pdf","pst","ost","db","sql","bak","key","pfx","p12","rdp","kdbx","csv","json","xml","eml","mdb","accdb"), 1, 0) as IsSensitive
| timeslice 1h
| stats
    count as FileWriteCount,
    sum(IsSensitive) as SensitiveFileCount,
    values(FileExt) as ExtensionsSeen,
    values(FullPath) as SamplePaths
  by _timeslice, Computer, User, DriveLetter
| where FileWriteCount > 5 or SensitiveFileCount > 0
| toInt(SensitiveFileCount * 5 + FileWriteCount) as RiskScore
| if (RiskScore >= 50, "Critical", if(RiskScore >= 20, "High", if(RiskScore >= 10, "Medium", "Low"))) as RiskTier
| sort by RiskScore desc
| fields _timeslice, Computer, User, DriveLetter, FileWriteCount, SensitiveFileCount, ExtensionsSeen, SamplePaths, RiskScore, RiskTier

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic collector Windows Security Event Log Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Automated nightly backup processes writing database dumps or archive files to an external drive mounted as E: or F:
Multimedia professionals copying large project files (video, audio) to external portable drives as part of standard workflow
IT technicians using USB drives to deploy software packages or OS images across endpoints

Google Chronicle / SecOps

yaral

rule t1052_exfiltration_over_physical_medium {
  meta:
    author = "df00tech"
    description = "Detects bulk or sensitive file writes to removable drive letters indicating potential exfiltration over physical medium (T1052)"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1052"
    reference = "https://attack.mitre.org/techniques/T1052/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.target.file.full_path = /^[D-Zd-z]:\\/
    $e.target.file.full_path = /\.(zip|rar|7z|tar|gz|docx?|xlsx?|pdf|pst|ost|db|sql|bak|key|pfx|p12|rdp|kdbx|csv|json|xml|eml|mdb|accdb)$/i
    $host = $e.principal.hostname
    $user = $e.principal.user.userid

  match:
    $host, $user over 1h

  outcome:
    $sensitive_file_count = count_distinct($e.target.file.full_path)
    $sample_files = array_distinct($e.target.file.full_path)
    $drive_letters = array_distinct(re.capture($e.target.file.full_path, "^([A-Za-z]:)"))

  condition:
    #e > 3
}

high severity high confidence

Data Sources

Chronicle UDM via Google Security Operations Windows Sysmon forwarded to Chronicle Microsoft Defender for Endpoint via Chronicle ingestion

Required Tables

FILE_CREATION UDM events

False Positives

Approved data transfer workflows where users regularly copy reports or CSVs to encrypted USB drives with documented business justification
Security tools performing file integrity backups to removable media as part of incident response toolkit deployment
Temporary worker onboarding where contractors receive project files on USB drives per standard provisioning process

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "PeFileWritten" OR #event_simpleName = "GenericFileWrite"
| TargetFileName = /^[D-Zd-z]:\\/
| TargetFileName = /\.(zip|rar|7z|tar|gz|docx?|xlsx?|pdf|pst|ost|db|sql|bak|key|pfx|p12|rdp|kdbx|csv|json|xml|eml|mdb|accdb)$/i
| regex("^([A-Za-z]:)", field=TargetFileName, as=DriveLetter)
| toUpper(DriveLetter, as=DriveLetter)
| eval IsSensitive = if(TargetFileName =~ /\.(zip|rar|7z|tar|gz|docx?|xlsx?|pdf|pst|ost|db|sql|bak|key|pfx|p12|rdp|kdbx|csv|json|xml|eml|mdb|accdb)$/i, 1, 0)
| groupBy([ComputerName, UserName, DriveLetter], function=[
    count(as=FileWriteCount),
    sum(IsSensitive, as=SensitiveFileCount),
    collect(TargetFileName, limit=5, as=SampleFiles),
    min(@timestamp, as=FirstWrite),
    max(@timestamp, as=LastWrite)
  ])
| where FileWriteCount > 5 or SensitiveFileCount > 0
| eval RiskScore = (SensitiveFileCount * 5) + FileWriteCount
| eval RiskTier = if(RiskScore >= 50, "Critical", if(RiskScore >= 20, "High", if(RiskScore >= 10, "Medium", "Low")))
| sort(RiskScore, order=desc)
| select([ComputerName, UserName, DriveLetter, FileWriteCount, SensitiveFileCount, SampleFiles, FirstWrite, LastWrite, RiskScore, RiskTier])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Activity (EDR) Falcon Data Replicator (FDR) file events

Required Tables

Falcon GenericFileWrite Falcon PeFileWritten events

False Positives

CrowdStrike-managed endpoints where security operations teams use removable media to distribute IR toolkits or forensic images
Finance teams exporting approved quarterly reports to encrypted USB drives for offline distribution to board members
Developers on air-gapped development environments who routinely transfer build outputs to removable media for testing on isolated systems

Exfiltration Over Physical Medium

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Exfiltration

Popular Detections