Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfil-USBRemovableMedia.
Upgrade to ProDetect Data Exfiltration via USB Removable Media in Splunk
Adversaries and malicious insiders may copy sensitive files to a USB removable drive to exfiltrate data outside of network-monitored channels, bypassing DLP and network-based egress controls entirely. This is especially relevant in air-gapped or high-security environments where physical media is the only viable exfiltration path. Detection combines removable-storage device arrival events with high-volume file-copy activity from sensitive directories to the newly mounted volume within a short window.
MITRE ATT&CK
- Tactic
- Exfiltration
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational" EventCode=2003
| eval ArrivalTime=_time
| table Computer, ArrivalTime
| join type=inner Computer
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(TargetFilename="D:\\*" OR TargetFilename="E:\\*" OR TargetFilename="F:\\*" OR TargetFilename="G:\\*")
| bin _time span=5m
| stats count as FileCount, values(TargetFilename) as Files, dc(TargetFilename) as UniqueFiles by Computer, User, _time
| where FileCount > 20
| rename _time as CopyTime ]
| where CopyTime >= ArrivalTime AND CopyTime <= ArrivalTime + 1800
| table ArrivalTime, CopyTime, Computer, User, FileCount, Files
| sort - CopyTime Correlates Windows DriverFrameworks-UserMode Event ID 2003 (removable device arrival) with Sysmon Event ID 11 (FileCreate) targeting non-system drive letters (D:-G:) within a 30-minute window of the arrival, flagging bursts of more than 20 file writes as bulk copy activity indicative of USB exfiltration staging.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized offline backup procedures using company-issued encrypted USB drives
- IT provisioning and imaging workflows that copy large numbers of files to removable media
- Users on drive letters D:-G: that are actually mapped network shares or virtual machine shared folders rather than physical USB media — validate with device class before alerting
Other platforms for THREAT-Exfil-USBRemovableMedia
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk File Copy to Removable Drive via PowerShell
Expected signal: Sysmon Event ID 11: 30 FileCreate events with TargetFilename under E:\ within a few seconds. Windows Event ID 2003/2100 (or DeviceEvents UsbDriveMounted) showing the E: volume was previously connected. DeviceFileEvents recording each file write with FileSize and InitiatingProcessAccountName.
- Test 2Large Single-File Archive Copy to USB Drive
Expected signal: Sysmon Event ID 11: FileCreate for E:\archive_test.zip with FileSize ~60MB. DeviceFileEvents recording a single file write exceeding the 50MB threshold.
References (5)
- https://attack.mitre.org/techniques/T1052/001/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control
- https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-to-go-faq
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1052.001/T1052.001.md
- https://www.sans.org/white-papers/usb-exfiltration/
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfil-USBRemovableMedia — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.