T1052.001 CrowdStrike LogScale · LogScale

Detect Exfiltration over USB in CrowdStrike LogScale

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. Threat actors including APT30 (SPACESHIP), ProjectSauron (Remsec), APT28 (USBStealer), Tropic Trooper, Mustang Panda, and malware families like Agent.btz and Machete have all used USB-based exfiltration techniques.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1052 Exfiltration Over Physical Medium
Sub-technique
T1052.001 Exfiltration over USB
Canonical reference
https://attack.mitre.org/techniques/T1052/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
(#event_simpleName=FileCreated OR #event_simpleName=FileWritten
  OR #event_simpleName=UsbDeviceConnected OR #event_simpleName=RemovableMediaVolumeMount)
| eval is_usb = if(#event_simpleName = "UsbDeviceConnected"
    OR #event_simpleName = "RemovableMediaVolumeMount", 1, 0)
| eval is_sensitive_file = if(
    (#event_simpleName = "FileCreated" OR #event_simpleName = "FileWritten")
    AND TargetFileName = /^[D-Jd-j]:\\/
    AND TargetFileName = /(?i)\.(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$/,
    1, 0
  )
| where is_usb = 1 OR is_sensitive_file = 1
| groupBy(
    [ComputerName, UserName],
    function=[
      sum(is_usb, as=usb_connections),
      sum(is_sensitive_file, as=files_written),
      collect([TargetFileName], limit=10, as=file_samples)
    ]
  )
| where files_written >= 5
| eval risk_score = if(files_written >= 50 AND usb_connections > 0, 90,
    if(files_written >= 20 AND usb_connections > 0, 75,
    if(files_written >= 5 AND usb_connections > 0, 60,
    if(files_written >= 20, 55, 40))))
| sort(risk_score, order=desc)
high severity medium confidence

CrowdStrike LogScale (Humio) query over Falcon sensor telemetry detecting UsbDeviceConnected and RemovableMediaVolumeMount events correlated with FileCreated or FileWritten events targeting removable drive paths (D-J:\) with sensitive file extensions. Uses sum() on binary eval fields for conditional aggregation, grouped by endpoint and user, with a risk score that escalates when USB insertion is confirmed alongside bulk file writes.

Data Sources

CrowdStrike Falcon Endpoint Protection sensorFalcon Data Replicator (FDR) streaming to LogScaleCrowdStrike Falcon SIEM Connector

Required Tables

FileCreatedFileWrittenUsbDeviceConnectedRemovableMediaVolumeMount

False Positives & Tuning

  • Endpoint backup agents writing compressed archives to USB drives as a scheduled local backup destination on endpoints lacking centralized backup infrastructure coverage
  • Technical support staff copying diagnostic tool output files, crash dumps, or system logs to USB drives during on-site troubleshooting of hardware or OS issues
  • Portable application users (e.g., PortableApps suite) running software directly from USB that writes cache, configuration, or profile data files back to the removable drive during normal operation
Download portable Sigma rule (.yml)

Other platforms for T1052.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Manual File Copy to USB Drive via xcopy

    Expected signal: Sysmon Event ID 11 (FileCreated): Multiple file creation events with TargetFilename starting with E:\ and InitiatingProcessFileName=xcopy.exe. Sysmon Event ID 1 (ProcessCreate): xcopy.exe process creation with command line referencing TEMP and E: drive. Security Event ID 4663 (if object access auditing enabled): File access on source files.

  2. Test 2PowerShell Automated File Staging and USB Copy

    Expected signal: Sysmon Event ID 1 (ProcessCreate): powershell.exe with -ExecutionPolicy Bypass flag. Sysmon Event ID 11 (FileCreated): 6 file creation events under E:\.hidden_sync\ with various sensitive extensions. PowerShell ScriptBlock Log Event ID 4104: Full script content including drive path and file names. Security Event ID 6416 (if auditing enabled): may correlate with prior USB insertion.

  3. Test 3Create Agent.btz-style thumb.dd Artifact on USB

    Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename=E:\thumb.dd, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104: Script showing system information collection and file write to USB path. Security Event ID 4688: Process creation for powershell.exe.

  4. Test 4Robocopy Bulk Transfer to Removable Drive with Mirror

    Expected signal: Sysmon Event ID 1 (ProcessCreate): robocopy.exe with MIR flag targeting E: drive. Sysmon Event ID 11 (FileCreated): 10+ file creation events under E:\backup_sync\. Security Event ID 4688: robocopy.exe process creation with full command line (if process command line auditing enabled via GPO).

Last updated: 2026-04-17 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1052.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1052Exfiltration Over Physical Medium

Related Techniques

T1052Exfiltration Over Physical MediumT1560Archive Collected DataT1560.001Archive via UtilityT1005Data from Local SystemT1025Data from Removable MediaT1091Replication Through Removable MediaT1200Hardware AdditionsT1074.001Local Data StagingT1020Automated Exfiltration

Same Tactic: Exfiltration

Popular Detections