Which SIEM platforms have a T1052.001 detection rule?

df00tech provides T1052.001 (Exfiltration over USB) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Exfiltration over USB (T1052.001)?

Detecting Exfiltration over USB requires the following data sources: File: File Creation, Drive: Drive Creation, Microsoft Defender for Endpoint, Windows Plug and Play.

What severity and confidence is the T1052.001 detection?

The T1052.001 detection is rated high severity with medium confidence.

What are common false positives for T1052.001?

Common false positives for T1052.001 include: Legitimate IT asset backup operations copying files to external drives for archival or disaster recovery; Software developers copying build artifacts or source code to USB drives for air-gapped deployment; Users performing authorized transfers of their own work files to external media per company policy.

T1052.001 IBM QRadar · QRadar

Detect Exfiltration over USB in IBM QRadar

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. Threat actors including APT30 (SPACESHIP), ProjectSauron (Remsec), APT28 (USBStealer), Tropic Trooper, Mustang Panda, and malware families like Agent.btz and Machete have all used USB-based exfiltration techniques.

MITRE ATT&CK

Tactic: Exfiltration
Technique: T1052 Exfiltration Over Physical Medium
Sub-technique: T1052.001 Exfiltration over USB
Canonical reference: https://attack.mitre.org/techniques/T1052/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  QIDNAME(qid) AS event_name,
  SUM(CASE WHEN LOGSOURCETYPENAME(devicetype) = 'Sysmon' AND eventid = '11' THEN 1 ELSE 0 END) AS files_copied,
  SUM(CASE WHEN eventid IN ('6416', '20001') THEN 1 ELSE 0 END) AS usb_inserts,
  MAX("TargetFilename") AS file_sample
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon', 'Universal DSM')
  AND (
    (
      eventid IN ('6416', '20001')
      AND (
        LOWER("DeviceDescription") ILIKE '%usb%'
        OR LOWER("DeviceDescription") ILIKE '%removable%'
        OR LOWER("DeviceDescription") ILIKE '%flash%'
        OR LOWER("DeviceDescription") ILIKE '%thumb%'
      )
    )
    OR (
      eventid = '11'
      AND (
        "TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%'
        OR "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%'
        OR "TargetFilename" ILIKE 'H:\\%' OR "TargetFilename" ILIKE 'I:\\%'
        OR "TargetFilename" ILIKE 'J:\\%'
      )
      AND (
        LOWER("TargetFilename") ILIKE '%.zip' OR LOWER("TargetFilename") ILIKE '%.rar'
        OR LOWER("TargetFilename") ILIKE '%.7z' OR LOWER("TargetFilename") ILIKE '%.pdf'
        OR LOWER("TargetFilename") ILIKE '%.docx' OR LOWER("TargetFilename") ILIKE '%.xlsx'
        OR LOWER("TargetFilename") ILIKE '%.csv' OR LOWER("TargetFilename") ILIKE '%.kdbx'
        OR LOWER("TargetFilename") ILIKE '%.pem' OR LOWER("TargetFilename") ILIKE '%.key'
        OR LOWER("TargetFilename") ILIKE '%.pfx' OR LOWER("TargetFilename") ILIKE '%.db'
        OR LOWER("TargetFilename") ILIKE '%.tar' OR LOWER("TargetFilename") ILIKE '%.gz'
      )
    )
  )
GROUP BY sourceip, username, hostname
HAVING SUM(CASE WHEN eventid = '11' THEN 1 ELSE 0 END) >= 5
ORDER BY files_copied DESC
LAST 24 HOURS

high severity medium confidence

AQL query aggregating Windows Security Event ID 6416 / 20001 (PnP device connection with USB descriptor) and Sysmon Event ID 11 (FileCreate) targeting removable drive paths D through J with sensitive file extensions. Groups results by source IP, username, and hostname; HAVING clause enforces a minimum of 5 file write events. USB insertion presence is reported as a correlated signal.

Data Sources

QRadar Windows Security Event Log DSMQRadar Sysmon DSM (Universal DSM)WinCollect agent on Windows endpoints

Required Tables

events

False Positives & Tuning

IT helpdesk staff performing USB-based OS deployments or WIM-based reimaging that writes dozens of compressed files to removable media on a regular maintenance cycle
Development or QA teams copying build artifacts, firmware packages, or compressed test datasets to USB drives for distribution to isolated lab environments
Finance or legal teams conducting court-ordered or regulatory data exports where large numbers of document files are copied to encrypted USB storage as part of an approved process

Download portable Sigma rule (.yml)

Other platforms for T1052.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Manual File Copy to USB Drive via xcopy
Expected signal: Sysmon Event ID 11 (FileCreated): Multiple file creation events with TargetFilename starting with E:\ and InitiatingProcessFileName=xcopy.exe. Sysmon Event ID 1 (ProcessCreate): xcopy.exe process creation with command line referencing TEMP and E: drive. Security Event ID 4663 (if object access auditing enabled): File access on source files.
Test 2PowerShell Automated File Staging and USB Copy
Expected signal: Sysmon Event ID 1 (ProcessCreate): powershell.exe with -ExecutionPolicy Bypass flag. Sysmon Event ID 11 (FileCreated): 6 file creation events under E:\.hidden_sync\ with various sensitive extensions. PowerShell ScriptBlock Log Event ID 4104: Full script content including drive path and file names. Security Event ID 6416 (if auditing enabled): may correlate with prior USB insertion.
Test 3Create Agent.btz-style thumb.dd Artifact on USB
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename=E:\thumb.dd, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104: Script showing system information collection and file write to USB path. Security Event ID 4688: Process creation for powershell.exe.
Test 4Robocopy Bulk Transfer to Removable Drive with Mirror
Expected signal: Sysmon Event ID 1 (ProcessCreate): robocopy.exe with MIR flag targeting E: drive. Sysmon Event ID 11 (FileCreated): 10+ file creation events under E:\backup_sync\. Security Event ID 4688: robocopy.exe process creation with full command line (if process command line auditing enabled via GPO).

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1052.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Exfiltration over USB in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1052.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Exfiltration

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1052.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Exfiltration

Popular Detections

Get new detections in your inbox