T1052.001 Exfiltration over USB Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect USB device insertion and subsequent large-scale file copy activity
let SuspiciousExtensions = dynamic([".zip", ".rar", ".7z", ".tar", ".gz", ".docx", ".xlsx", ".pdf", ".pptx", ".doc", ".xls", ".csv", ".db", ".kdbx", ".pfx", ".pem", ".key"]);
let USBDrivePaths = dynamic(["D:\\", "E:\\", "F:\\", "G:\\", "H:\\", "I:\\", "J:\\"]);
// Part 1: Detect file writes to removable drive paths
let FileCopyToUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (USBDrivePaths)
| where FileName has_any (SuspiciousExtensions)
| summarize FilesCopied=count(), FileSizeMB=sum(FileSize)/1048576, FileSample=make_set(FileName, 10), EarliestCopy=min(Timestamp), LatestCopy=max(Timestamp)
  by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FilesCopied >= 5
| extend AlertReason = "Bulk file copy to removable drive path";
// Part 2: Detect USB device arrival events via PnP logs
let USBDeviceEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "PnpDeviceConnected"
| where AdditionalFields has "USB"
| extend DeviceClass = tostring(parse_json(AdditionalFields).ClassName)
| extend DeviceDesc = tostring(parse_json(AdditionalFields).DeviceDescription)
| where DeviceClass in~ ("DiskDrive", "USB", "USBSTOR") or DeviceDesc has_any ("USB", "Flash", "Removable")
| project Timestamp, DeviceName, AccountName, DeviceClass, DeviceDesc;
// Part 3: Correlate USB arrival with subsequent file copies
FileCopyToUSB
| join kind=leftouter (
    USBDeviceEvents
    | project DeviceName, USBInsertTime=Timestamp, DeviceClass, DeviceDesc
) on DeviceName
| where isempty(USBInsertTime) or (EarliestCopy >= USBInsertTime and EarliestCopy <= USBInsertTime + 1h)
| project EarliestCopy, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          FilesCopied, FileSizeMB, FileSample, USBInsertTime, DeviceDesc, AlertReason
| sort by FilesCopied desc

high severity medium confidence

Data Sources

File: File Creation Drive: Drive Creation Microsoft Defender for Endpoint Windows Plug and Play

Required Tables

DeviceFileEvents DeviceEvents

False Positives

Legitimate IT asset backup operations copying files to external drives for archival or disaster recovery
Software developers copying build artifacts or source code to USB drives for air-gapped deployment
Users performing authorized transfers of their own work files to external media per company policy
Automated backup software (e.g., Windows Backup, third-party tools) that writes to removable drives on a schedule

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System")
| eval is_usb_insert=0, is_file_copy=0
// Detect USB/Removable storage device insertions via Sysmon or System log
| eval is_usb_insert=case(
    (EventCode=6416 OR EventCode=20001),
    if(match(lower(coalesce(DeviceDescription, Message)), "(usb|removable|flash|thumb|disk)"), 1, 0),
    1==1, 0
  )
// Detect file creation events targeting removable drive paths (Sysmon Event ID 11)
| eval is_file_copy=case(
    EventCode=11,
    if(match(TargetFilename, "^[D-Jd-j]:\\\\"), 1, 0),
    1==1, 0
  )
| eval sensitive_ext=if(
    match(lower(coalesce(TargetFilename,"")), "\.(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$"),
    1, 0
  )
| search (is_usb_insert=1 OR (is_file_copy=1 AND sensitive_ext=1))
| eval event_type=case(is_usb_insert=1, "USB_Inserted", is_file_copy=1, "FileCopied", 1==1, "Other")
| eval drive_letter=if(is_file_copy=1, upper(substr(TargetFilename, 1, 2)), null())
| stats
    count(eval(event_type="USB_Inserted")) as usb_inserts,
    count(eval(event_type="FileCopied")) as files_copied,
    values(drive_letter) as target_drives,
    values(TargetFilename) as file_samples,
    dc(TargetFilename) as unique_files,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by host, user
| where files_copied >= 5
| eval has_usb_event=if(usb_inserts > 0, "YES", "NO")
| eval risk_score=case(
    files_copied >= 50 AND usb_inserts > 0, 90,
    files_copied >= 20 AND usb_inserts > 0, 75,
    files_copied >= 5 AND usb_inserts > 0, 60,
    files_copied >= 20, 55,
    files_copied >= 5, 40,
    1==1, 20
  )
| table first_seen, last_seen, host, user, usb_inserts, files_copied, unique_files, target_drives, file_samples, has_usb_event, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

File: File Creation Drive: Drive Creation Sysmon Event ID 11 Windows Event ID 6416 Windows System Event ID 20001

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:System

False Positives

Legitimate IT asset backup operations copying files to external drives for archival or disaster recovery
Software developers copying build artifacts or source code to USB drives for air-gapped deployment
Users performing authorized transfers of their own work files to external media per company policy
Automated backup software (e.g., Windows Backup, Acronis, Veeam agents) writing to removable drives

Elastic Security (EQL)

eql

sequence by host.name with maxspan=2h
  [any where event.code == "6416" or
   (event.provider : "Microsoft-Windows-Kernel-PnP" and
    message : ("*USB*", "*Removable*", "*Flash*", "*Thumb Drive*"))]
  [file where event.type in ("creation", "change") and
   file.path : ("D:\\*", "E:\\*", "F:\\*", "G:\\*", "H:\\*", "I:\\*", "J:\\*") and
   file.extension : ("zip", "rar", "7z", "tar", "gz", "docx", "xlsx", "pdf", "pptx",
                     "doc", "xls", "csv", "db", "kdbx", "pfx", "pem", "key")] with runs=5

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon (Winlogbeat) Elastic Endpoint Security Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.driver-* winlogbeat-*

False Positives

IT administrators performing authorized USB-based OS deployments or system imaging that writes many archive or document files to removable media as part of standard workflows
Automated enterprise backup software (e.g., Acronis, Veeam) configured to write compressed backups to a USB-attached drive on a schedule
End users with approved workflows copying presentation files or project archives to USB drives for offsite work, trade shows, or air-gapped lab use

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  QIDNAME(qid) AS event_name,
  SUM(CASE WHEN LOGSOURCETYPENAME(devicetype) = 'Sysmon' AND eventid = '11' THEN 1 ELSE 0 END) AS files_copied,
  SUM(CASE WHEN eventid IN ('6416', '20001') THEN 1 ELSE 0 END) AS usb_inserts,
  MAX("TargetFilename") AS file_sample
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon', 'Universal DSM')
  AND (
    (
      eventid IN ('6416', '20001')
      AND (
        LOWER("DeviceDescription") ILIKE '%usb%'
        OR LOWER("DeviceDescription") ILIKE '%removable%'
        OR LOWER("DeviceDescription") ILIKE '%flash%'
        OR LOWER("DeviceDescription") ILIKE '%thumb%'
      )
    )
    OR (
      eventid = '11'
      AND (
        "TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%'
        OR "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%'
        OR "TargetFilename" ILIKE 'H:\\%' OR "TargetFilename" ILIKE 'I:\\%'
        OR "TargetFilename" ILIKE 'J:\\%'
      )
      AND (
        LOWER("TargetFilename") ILIKE '%.zip' OR LOWER("TargetFilename") ILIKE '%.rar'
        OR LOWER("TargetFilename") ILIKE '%.7z' OR LOWER("TargetFilename") ILIKE '%.pdf'
        OR LOWER("TargetFilename") ILIKE '%.docx' OR LOWER("TargetFilename") ILIKE '%.xlsx'
        OR LOWER("TargetFilename") ILIKE '%.csv' OR LOWER("TargetFilename") ILIKE '%.kdbx'
        OR LOWER("TargetFilename") ILIKE '%.pem' OR LOWER("TargetFilename") ILIKE '%.key'
        OR LOWER("TargetFilename") ILIKE '%.pfx' OR LOWER("TargetFilename") ILIKE '%.db'
        OR LOWER("TargetFilename") ILIKE '%.tar' OR LOWER("TargetFilename") ILIKE '%.gz'
      )
    )
  )
GROUP BY sourceip, username, hostname
HAVING SUM(CASE WHEN eventid = '11' THEN 1 ELSE 0 END) >= 5
ORDER BY files_copied DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM (Universal DSM) WinCollect agent on Windows endpoints

Required Tables

events

False Positives

IT helpdesk staff performing USB-based OS deployments or WIM-based reimaging that writes dozens of compressed files to removable media on a regular maintenance cycle
Development or QA teams copying build artifacts, firmware packages, or compressed test datasets to USB drives for distribution to isolated lab environments
Finance or legal teams conducting court-ordered or regulatory data exports where large numbers of document files are copied to encrypted USB storage as part of an approved process

Sumo Logic CSE

sql

(_sourceCategory=Windows* OR _sourceCategory=sysmon* OR _sourceCategory=WinEventLog*)
| where EventCode in ("6416", "11", "20001")
| eval is_usb_insert = if(EventCode in ("6416", "20001") and (
    toLowerCase(DeviceDescription) matches ".*usb.*" or
    toLowerCase(DeviceDescription) matches ".*removable.*" or
    toLowerCase(DeviceDescription) matches ".*flash.*"
  ), 1, 0)
| eval is_file_copy = if(EventCode == "11" and (
    TargetFilename matches "[D-Jd-j]:\\\\.*"
  ), 1, 0)
| eval is_sensitive_ext = if(EventCode == "11" and
    toLowerCase(TargetFilename) matches ".*\\.(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$", 1, 0)
| where is_usb_insert == 1 or (is_file_copy == 1 and is_sensitive_ext == 1)
| stats
    sum(is_usb_insert) as usb_inserts,
    sum(is_file_copy) as files_copied,
    count_distinct(TargetFilename) as unique_files,
    values(TargetFilename) as file_samples
    by _sourceHost, user
| where files_copied >= 5
| eval has_usb_event = if(usb_inserts > 0, "YES", "NO")
| eval risk_score = if(files_copied >= 50 and usb_inserts > 0, 90,
    if(files_copied >= 20 and usb_inserts > 0, 75,
    if(files_copied >= 5 and usb_inserts > 0, 60,
    if(files_copied >= 20, 55, 40))))
| fields _sourceHost, user, usb_inserts, files_copied, unique_files, file_samples, has_usb_event, risk_score
| sort by risk_score desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source Sysmon logs forwarded via Sumo Logic Collector Sumo Logic Cloud-to-Cloud Windows source

Required Tables

_sourceCategory=Windows* _sourceCategory=sysmon* _sourceCategory=WinEventLog*

False Positives

Security operations staff running authorized forensic data collection that involves copying evidence archives to encrypted USB drives as part of an incident response chain-of-custody procedure
Software QA engineers using removable USB media to stage compressed application packages or firmware images for transfer to physically isolated test benches
Employees in organizations that permit portable encrypted USB drives (e.g., IronKey, Apricorn) for approved document transport between offices or to client sites

Google Chronicle / SecOps

yaral

rule t1052_001_usb_exfiltration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects USB device connection followed by bulk sensitive file writes to removable drive paths, indicating potential data exfiltration via USB (T1052.001)"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1052.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "Windows"
    version = "1.0"

  events:
    $usb.metadata.event_type = "DEVICE_UNCATEGORIZED"
    $usb.metadata.description = /(?i)(usb|removable|flash|thumb|diskdrive)/
    $usb.principal.hostname = $hostname

    $file.metadata.event_type = "FILE_CREATION"
    $file.target.file.full_path = /(?i)^[d-j]:\\/
    $file.target.file.extension = /(?i)^(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$/
    $file.principal.hostname = $hostname
    $file.principal.user.userid = $user

    $file.metadata.event_timestamp.seconds >
        $usb.metadata.event_timestamp.seconds
    $file.metadata.event_timestamp.seconds <
        $usb.metadata.event_timestamp.seconds + 3600

  match:
    $hostname, $user over 1h

  condition:
    $usb and #file >= 5
}

high severity medium confidence

Data Sources

Chronicle Forwarder with Windows endpoint agent Microsoft Defender for Endpoint logs ingested into Chronicle Sysmon telemetry mapped to Chronicle UDM via parser

Required Tables

UDM events: FILE_CREATION, DEVICE_UNCATEGORIZED

False Positives

Authorized IT archival workflows where administrators copy compressed system backup files to USB drives attached to servers during scheduled maintenance windows
Software staging processes in which a deployment script copies application installers or update packages (ZIP, MSI wrapped in archives) to removable media for air-gapped delivery
Compliance-driven document export where legal or audit teams copy regulated records in bulk to encrypted USB storage as part of discovery or e-disclosure requests

CrowdStrike LogScale (CQL)

cql

(#event_simpleName=FileCreated OR #event_simpleName=FileWritten
  OR #event_simpleName=UsbDeviceConnected OR #event_simpleName=RemovableMediaVolumeMount)
| eval is_usb = if(#event_simpleName = "UsbDeviceConnected"
    OR #event_simpleName = "RemovableMediaVolumeMount", 1, 0)
| eval is_sensitive_file = if(
    (#event_simpleName = "FileCreated" OR #event_simpleName = "FileWritten")
    AND TargetFileName = /^[D-Jd-j]:\\/
    AND TargetFileName = /(?i)\.(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$/,
    1, 0
  )
| where is_usb = 1 OR is_sensitive_file = 1
| groupBy(
    [ComputerName, UserName],
    function=[
      sum(is_usb, as=usb_connections),
      sum(is_sensitive_file, as=files_written),
      collect([TargetFileName], limit=10, as=file_samples)
    ]
  )
| where files_written >= 5
| eval risk_score = if(files_written >= 50 AND usb_connections > 0, 90,
    if(files_written >= 20 AND usb_connections > 0, 75,
    if(files_written >= 5 AND usb_connections > 0, 60,
    if(files_written >= 20, 55, 40))))
| sort(risk_score, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection sensor Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Falcon SIEM Connector

Required Tables

FileCreated FileWritten UsbDeviceConnected RemovableMediaVolumeMount

False Positives

Endpoint backup agents writing compressed archives to USB drives as a scheduled local backup destination on endpoints lacking centralized backup infrastructure coverage
Technical support staff copying diagnostic tool output files, crash dumps, or system logs to USB drives during on-site troubleshooting of hardware or OS issues
Portable application users (e.g., PortableApps suite) running software directly from USB that writes cache, configuration, or profile data files back to the removable drive during normal operation

Exfiltration over USB

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Exfiltration

Popular Detections