Detect Exfiltration over USB in Splunk
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. Threat actors including APT30 (SPACESHIP), ProjectSauron (Remsec), APT28 (USBStealer), Tropic Trooper, Mustang Panda, and malware families like Agent.btz and Machete have all used USB-based exfiltration techniques.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1052 Exfiltration Over Physical Medium
- Sub-technique
- T1052.001 Exfiltration over USB
- Canonical reference
- https://attack.mitre.org/techniques/T1052/001/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System")
| eval is_usb_insert=0, is_file_copy=0
// Detect USB/Removable storage device insertions via Sysmon or System log
| eval is_usb_insert=case(
(EventCode=6416 OR EventCode=20001),
if(match(lower(coalesce(DeviceDescription, Message)), "(usb|removable|flash|thumb|disk)"), 1, 0),
1==1, 0
)
// Detect file creation events targeting removable drive paths (Sysmon Event ID 11)
| eval is_file_copy=case(
EventCode=11,
if(match(TargetFilename, "^[D-Jd-j]:\\\\"), 1, 0),
1==1, 0
)
| eval sensitive_ext=if(
match(lower(coalesce(TargetFilename,"")), "\.(zip|rar|7z|tar|gz|docx?|xlsx?|pptx?|pdf|csv|db|kdbx|pfx|pem|key)$"),
1, 0
)
| search (is_usb_insert=1 OR (is_file_copy=1 AND sensitive_ext=1))
| eval event_type=case(is_usb_insert=1, "USB_Inserted", is_file_copy=1, "FileCopied", 1==1, "Other")
| eval drive_letter=if(is_file_copy=1, upper(substr(TargetFilename, 1, 2)), null())
| stats
count(eval(event_type="USB_Inserted")) as usb_inserts,
count(eval(event_type="FileCopied")) as files_copied,
values(drive_letter) as target_drives,
values(TargetFilename) as file_samples,
dc(TargetFilename) as unique_files,
earliest(_time) as first_seen,
latest(_time) as last_seen
by host, user
| where files_copied >= 5
| eval has_usb_event=if(usb_inserts > 0, "YES", "NO")
| eval risk_score=case(
files_copied >= 50 AND usb_inserts > 0, 90,
files_copied >= 20 AND usb_inserts > 0, 75,
files_copied >= 5 AND usb_inserts > 0, 60,
files_copied >= 20, 55,
files_copied >= 5, 40,
1==1, 20
)
| table first_seen, last_seen, host, user, usb_inserts, files_copied, unique_files, target_drives, file_samples, has_usb_event, risk_score
| sort - risk_scoreDetects USB-based exfiltration by combining Windows Plug and Play device insertion events (EventCode 6416, 20001) with Sysmon file creation events (EventCode 11) targeting removable drive letters (D-J). Assigns a risk score based on file volume and correlation with confirmed USB insertion events. A higher score indicates higher likelihood of intentional exfiltration versus incidental use.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate IT asset backup operations copying files to external drives for archival or disaster recovery
- Software developers copying build artifacts or source code to USB drives for air-gapped deployment
- Users performing authorized transfers of their own work files to external media per company policy
- Automated backup software (e.g., Windows Backup, Acronis, Veeam agents) writing to removable drives
Other platforms for T1052.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Manual File Copy to USB Drive via xcopy
Expected signal: Sysmon Event ID 11 (FileCreated): Multiple file creation events with TargetFilename starting with E:\ and InitiatingProcessFileName=xcopy.exe. Sysmon Event ID 1 (ProcessCreate): xcopy.exe process creation with command line referencing TEMP and E: drive. Security Event ID 4663 (if object access auditing enabled): File access on source files.
- Test 2PowerShell Automated File Staging and USB Copy
Expected signal: Sysmon Event ID 1 (ProcessCreate): powershell.exe with -ExecutionPolicy Bypass flag. Sysmon Event ID 11 (FileCreated): 6 file creation events under E:\.hidden_sync\ with various sensitive extensions. PowerShell ScriptBlock Log Event ID 4104: Full script content including drive path and file names. Security Event ID 6416 (if auditing enabled): may correlate with prior USB insertion.
- Test 3Create Agent.btz-style thumb.dd Artifact on USB
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename=E:\thumb.dd, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104: Script showing system information collection and file write to USB path. Security Event ID 4688: Process creation for powershell.exe.
- Test 4Robocopy Bulk Transfer to Removable Drive with Mirror
Expected signal: Sysmon Event ID 1 (ProcessCreate): robocopy.exe with MIR flag targeting E: drive. Sysmon Event ID 11 (FileCreated): 10+ file creation events under E:\backup_sync\. Security Event ID 4688: robocopy.exe process creation with full command line (if process command line auditing enabled via GPO).
References (12)
- https://attack.mitre.org/techniques/T1052/001/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt30.pdf
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.trendmicro.com/en_us/research/20/e/tropic-trooper-s-back-usbferry-attack-targets-air-gapped-environments.html
- https://www.avira.com/en/blog/mustang-panda-threat-actor-is-adding-new-techniques-to-its-arsenal
- https://securelist.com/agent-btz-a-source-of-inspiration/58551/
- https://www.welivesecurity.com/2019/08/05/machete-just-got-sharper-venezuelan-government-institutions-under-attack/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1052.001/T1052.001.md
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
- https://www.sans.org/blog/investigating-usb-drive-forensics-on-windows/
Unlock Pro Content
Get the full detection package for T1052.001 including response playbook, investigation guide, and atomic red team tests.