Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-USBRemovableMedia.

Upgrade to Pro
THREAT-Exfil-USBRemovableMedia

Data Exfiltration via USB Removable Media

Exfiltration Last updated:

Adversaries and malicious insiders may copy sensitive files to a USB removable drive to exfiltrate data outside of network-monitored channels, bypassing DLP and network-based egress controls entirely. This is especially relevant in air-gapped or high-security environments where physical media is the only viable exfiltration path. Detection combines removable-storage device arrival events with high-volume file-copy activity from sensitive directories to the newly mounted volume within a short window.

What is THREAT-Exfil-USBRemovableMedia Data Exfiltration via USB Removable Media?

Data Exfiltration via USB Removable Media (THREAT-Exfil-USBRemovableMedia) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration via USB Removable Media, covering the data sources and telemetry it touches: Drive: Drive Creation, File: File Creation, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let SensitivePaths = dynamic(["C:\\Finance", "C:\\HR", "C:\\Users\\Public\\Confidential", "\\Shares\\Legal", "\\Shares\\Engineering"]);
// Signal 1: Removable storage device plugged in (DeviceEvents PnP/USB events)
let UsbArrival = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("PnpDeviceConnected", "UsbDriveMounted")
| project Timestamp, DeviceName, DeviceId=AdditionalFields, ArrivalTime=Timestamp;
// Signal 2: High volume file copy operations to a removable drive shortly after arrival
let FileCopySignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex @"^[D-Z]:\\" // non-system drive letters commonly assigned to removable media
| where FolderPath has_any (SensitivePaths) or InitiatingProcessFolderPath has_any (SensitivePaths)
| summarize FileCount=count(), TotalSizeBytes=sum(FileSize), Files=make_set(FileName, 20) by DeviceName, AccountName=InitiatingProcessAccountName, bin(Timestamp, 5m)
| where FileCount > 20 or TotalSizeBytes > 52428800
| extend Signal = "BulkCopyToRemovableMedia";
UsbArrival
| join kind=inner (FileCopySignal) on DeviceName
| where FileCopySignal.Timestamp between (ArrivalTime .. ArrivalTime + 30m)
| project Timestamp, DeviceName, AccountName, Signal, FileCount, TotalSizeBytes, Files
| sort by Timestamp desc

Detects potential exfiltration to USB removable media by correlating (1) removable storage device arrival events from DeviceEvents PnP telemetry with (2) a burst of file copy operations (>20 files or >50MB within 5 minutes) originating from or landing in known sensitive directories, occurring within 30 minutes of the device being connected. The join on device and time window filters out routine, low-volume USB usage.

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceFileEvents

False Positives

  • Employees performing legitimate authorized backups to encrypted, IT-issued USB drives as part of an approved data transfer or offline work process
  • IT staff imaging or provisioning new workstations using USB media containing bulk file transfers
  • Media/creative teams routinely moving large video or design assets to portable drives for client delivery
  • Automated backup software configured to target removable or external drives on a schedule

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration via USB Removable Media (THREAT-Exfil-USBRemovableMedia) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk File Copy to Removable Drive via PowerShell

    Expected signal: Sysmon Event ID 11: 30 FileCreate events with TargetFilename under E:\ within a few seconds. Windows Event ID 2003/2100 (or DeviceEvents UsbDriveMounted) showing the E: volume was previously connected. DeviceFileEvents recording each file write with FileSize and InitiatingProcessAccountName.

  2. Test 2Large Single-File Archive Copy to USB Drive

    Expected signal: Sysmon Event ID 11: FileCreate for E:\archive_test.zip with FileSize ~60MB. DeviceFileEvents recording a single file write exceeding the 50MB threshold.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfil-USBRemovableMedia — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.