Detect Exfiltration over USB in Google Chronicle
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. Threat actors including APT30 (SPACESHIP), ProjectSauron (Remsec), APT28 (USBStealer), Tropic Trooper, Mustang Panda, and malware families like Agent.btz and Machete have all used USB-based exfiltration techniques.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1052 Exfiltration Over Physical Medium
- Sub-technique
- T1052.001 Exfiltration over USB
- Canonical reference
- https://attack.mitre.org/techniques/T1052/001/
YARA-L Detection Query
rule t1052_001_usb_exfiltration {
meta:
author = "Argus Detection Engineering"
description = "Detects USB device connection followed by bulk sensitive file writes to removable drive paths, indicating potential data exfiltration via USB (T1052.001)"
mitre_attack_tactic = "Exfiltration"
mitre_attack_technique = "T1052.001"
severity = "HIGH"
confidence = "MEDIUM"
platform = "Windows"
version = "1.0"
events:
$usb.metadata.event_type = "DEVICE_UNCATEGORIZED"
$usb.metadata.description = /(?i)(usb|removable|flash|thumb|diskdrive)/
$usb.principal.hostname = $hostname
$file.metadata.event_type = "FILE_CREATION"
$file.target.file.full_path = /(?i)^[d-j]:\\/
$file.target.file.extension = /(?i)^(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$/
$file.principal.hostname = $hostname
$file.principal.user.userid = $user
$file.metadata.event_timestamp.seconds >
$usb.metadata.event_timestamp.seconds
$file.metadata.event_timestamp.seconds <
$usb.metadata.event_timestamp.seconds + 3600
match:
$hostname, $user over 1h
condition:
$usb and #file >= 5
}YARA-L 2.0 rule for Google Chronicle UDM that sequences a DEVICE_UNCATEGORIZED event with USB/removable descriptors against at least 5 FILE_CREATION events targeting removable drive paths (D-J:\) with sensitive file extensions, all correlated by hostname and user within a 1-hour sliding window. Requires Chronicle ingestion of endpoint telemetry that maps PnP device events and file system events into UDM.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT archival workflows where administrators copy compressed system backup files to USB drives attached to servers during scheduled maintenance windows
- Software staging processes in which a deployment script copies application installers or update packages (ZIP, MSI wrapped in archives) to removable media for air-gapped delivery
- Compliance-driven document export where legal or audit teams copy regulated records in bulk to encrypted USB storage as part of discovery or e-disclosure requests
Other platforms for T1052.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Manual File Copy to USB Drive via xcopy
Expected signal: Sysmon Event ID 11 (FileCreated): Multiple file creation events with TargetFilename starting with E:\ and InitiatingProcessFileName=xcopy.exe. Sysmon Event ID 1 (ProcessCreate): xcopy.exe process creation with command line referencing TEMP and E: drive. Security Event ID 4663 (if object access auditing enabled): File access on source files.
- Test 2PowerShell Automated File Staging and USB Copy
Expected signal: Sysmon Event ID 1 (ProcessCreate): powershell.exe with -ExecutionPolicy Bypass flag. Sysmon Event ID 11 (FileCreated): 6 file creation events under E:\.hidden_sync\ with various sensitive extensions. PowerShell ScriptBlock Log Event ID 4104: Full script content including drive path and file names. Security Event ID 6416 (if auditing enabled): may correlate with prior USB insertion.
- Test 3Create Agent.btz-style thumb.dd Artifact on USB
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename=E:\thumb.dd, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104: Script showing system information collection and file write to USB path. Security Event ID 4688: Process creation for powershell.exe.
- Test 4Robocopy Bulk Transfer to Removable Drive with Mirror
Expected signal: Sysmon Event ID 1 (ProcessCreate): robocopy.exe with MIR flag targeting E: drive. Sysmon Event ID 11 (FileCreated): 10+ file creation events under E:\backup_sync\. Security Event ID 4688: robocopy.exe process creation with full command line (if process command line auditing enabled via GPO).
References (12)
- https://attack.mitre.org/techniques/T1052/001/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt30.pdf
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.trendmicro.com/en_us/research/20/e/tropic-trooper-s-back-usbferry-attack-targets-air-gapped-environments.html
- https://www.avira.com/en/blog/mustang-panda-threat-actor-is-adding-new-techniques-to-its-arsenal
- https://securelist.com/agent-btz-a-source-of-inspiration/58551/
- https://www.welivesecurity.com/2019/08/05/machete-just-got-sharper-venezuelan-government-institutions-under-attack/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1052.001/T1052.001.md
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
- https://www.sans.org/blog/investigating-usb-drive-forensics-on-windows/
Unlock Pro Content
Get the full detection package for T1052.001 including response playbook, investigation guide, and atomic red team tests.