Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-USBRemovableMedia.

Upgrade to Pro
THREAT-Exfil-USBRemovableMedia IBM QRadar · QRadar

Detect Data Exfiltration via USB Removable Media in IBM QRadar

Adversaries and malicious insiders may copy sensitive files to a USB removable drive to exfiltrate data outside of network-monitored channels, bypassing DLP and network-based egress controls entirely. This is especially relevant in air-gapped or high-security environments where physical media is the only viable exfiltration path. Detection combines removable-storage device arrival events with high-volume file-copy activity from sensitive directories to the newly mounted volume within a short window.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  "Computer" AS Hostname,
  username AS UserName,
  QIDNAME(qid) AS EventName,
  "TargetFilename" AS TargetFile,
  COUNT(*) AS FileWriteCount
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    ("TargetFilename" ILIKE 'D:\%' OR "TargetFilename" ILIKE 'E:\%' OR "TargetFilename" ILIKE 'F:\%' OR "TargetFilename" ILIKE 'G:\%')
    AND qid IN (SELECT qid FROM QID WHERE name ILIKE '%sysmon event 11%' OR name ILIKE '%file create%')
  )
GROUP BY "Computer", username, "TargetFilename"
HAVING COUNT(*) > 20
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query flagging bursts of file-create events targeting non-system drive letters (D:-G:), indicative of bulk data copy to removable media. Intended to be correlated with a separate USB device arrival rule/offense in QRadar's rule engine for full T1052.001 coverage.

Data Sources

Sysmon via Windows Event ForwardingWindows Security Event Log

Required Tables

events

False Positives & Tuning

  • IT provisioning and imaging workflows writing many files to removable or externally-mounted drives
  • Backup software configured to target external drive letters on a schedule
  • Drive letters D:-G: mapped to network shares or VM shared folders rather than physical removable media

Other platforms for THREAT-Exfil-USBRemovableMedia


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk File Copy to Removable Drive via PowerShell

    Expected signal: Sysmon Event ID 11: 30 FileCreate events with TargetFilename under E:\ within a few seconds. Windows Event ID 2003/2100 (or DeviceEvents UsbDriveMounted) showing the E: volume was previously connected. DeviceFileEvents recording each file write with FileSize and InitiatingProcessAccountName.

  2. Test 2Large Single-File Archive Copy to USB Drive

    Expected signal: Sysmon Event ID 11: FileCreate for E:\archive_test.zip with FileSize ~60MB. DeviceFileEvents recording a single file write exceeding the 50MB threshold.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfil-USBRemovableMedia — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.