Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USB-AirGapBridging.

Upgrade to Pro
THREAT-USB-AirGapBridging

Air-Gap Bridging Exfiltration via Shared USB Media

Exfiltration Last updated:

Adversaries targeting air-gapped or network-segmented environments (ICS/OT, classified enclaves, isolated research networks) cannot rely on a network-based C2 channel to move stolen data off the isolated segment. Instead, malware families such as Agent.btz (the 2008 'Buckshot Yankee' incident), APT28's USBStealer, Machete, and Tropic Trooper's USBferry write themselves and staged data to removable media, then rely on a human or an automated routine to carry that same physical device to a network-connected host where the data is uploaded to the adversary. The defining artifact of this technique is not a single suspicious file, but a single USB device — identifiable by its device serial number — appearing on two or more hosts within a short window, especially when at least one of those hosts sits in an isolated or restricted network segment. A secondary artifact is the drop of a hidden collector/beacon file at the removable volume's root, historically a file literally named thumb.dd in the Agent.btz case, or an autorun.inf-based launcher in older variants.

What is THREAT-USB-AirGapBridging Air-Gap Bridging Exfiltration via Shared USB Media?

Air-Gap Bridging Exfiltration via Shared USB Media (THREAT-USB-AirGapBridging) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Air-Gap Bridging Exfiltration via Shared USB Media, covering the data sources and telemetry it touches: Drive: Drive Creation, File: File Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// Signal 1: the same physical USB storage device (identified by the device serial
// embedded in its PnP DeviceId) connects to two or more distinct hosts within 72 hours
let SameSerialMultiHost = DeviceEvents
| where Timestamp > ago(72h)
| where ActionType == "PnpDeviceConnected"
| where AdditionalFields has "USB"
| extend DeviceIdField = tostring(parse_json(AdditionalFields).DeviceId)
| extend DeviceClass = tostring(parse_json(AdditionalFields).ClassName)
| where DeviceClass in~ ("DiskDrive", "USBSTOR", "USB") or DeviceIdField has "USBSTOR"
| extend USBSerial = tostring(split(DeviceIdField, "\\")[-1])
| where isnotempty(USBSerial) and USBSerial != "0"
| summarize ConnectedHosts = make_set(DeviceName), HostCount = dcount(DeviceName),
    FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
  by USBSerial
| where HostCount >= 2
| mv-expand ConnectedHosts to typeof(string);
// Signal 2: a hidden collector/launcher artifact written to the removable volume root —
// thumb.dd is the documented Agent.btz artifact name; autorun.inf covers older
// auto-execution variants (USBStealer, Machete, USBferry)
let HiddenDropperArtifact = DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated"
| where FileName in~ ("thumb.dd", "autorun.inf")
| where FolderPath matches regex @"^[D-Z]:\\$"
| project DeviceName, ArtifactTime = Timestamp, FileName, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine;
// High-confidence: the shared-serial device also produced a hidden root artifact
// on at least one of the hosts it connected to
let CorrelatedBridging = SameSerialMultiHost
| join kind=inner (HiddenDropperArtifact) on $left.ConnectedHosts == $right.DeviceName
| extend Signal = "SharedUSBWithHiddenArtifact", RiskScore = 90
| project USBSerial, HostCount, ConnectedHosts, FirstSeen, LastSeen, ArtifactTime, FileName, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine, Signal, RiskScore;
// Lower-confidence standalone signal: the same device on 3+ distinct hosts is
// unusual even without an observed hidden-file drop and warrants review
let MultiHostOnly = SameSerialMultiHost
| where HostCount >= 3
| extend Signal = "SameUSBAcrossThreeOrMoreHosts", RiskScore = 65
| extend ArtifactTime = LastSeen, FileName = "", FolderPath = "",
    InitiatingProcessFileName = "", InitiatingProcessCommandLine = ""
| project USBSerial, HostCount, ConnectedHosts, FirstSeen, LastSeen, ArtifactTime, FileName, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine, Signal, RiskScore;
union CorrelatedBridging, MultiHostOnly
| sort by RiskScore desc, HostCount desc

Two-signal detection for air-gap bridging via shared USB media. The high-confidence signal correlates a single USB device (identified via the serial number embedded in its PnP DeviceId) connecting to two or more distinct hosts within 72 hours with a hidden root-level artifact drop (thumb.dd, autorun.inf) on at least one of those hosts — the documented Agent.btz/USBStealer/USBferry pattern for hopping across disconnected network segments. A lower-confidence standalone signal flags any USB device seen on three or more distinct hosts in the window even without an observed artifact drop, since this frequency is unusual for a personal device and warrants review in restricted environments.

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceFileEvents

False Positives

  • IT-issued USB drives used for legitimate imaging, patching, or software deployment across multiple workstations by desktop support staff
  • Shared USB drives used for sneakernet transfer of approved files between network segments as part of a documented, low-frequency business process
  • USB backup drives rotated across multiple servers by backup administrators as part of a scheduled backup rotation
  • Legacy or third-party hardware (printers, badge readers, kiosks) that legitimately ship an autorun.inf on their installer media

Sigma rule & cross-platform mapping

The detection logic for Air-Gap Bridging Exfiltration via Shared USB Media (THREAT-USB-AirGapBridging) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Hidden Collector Artifact Drop at Removable Volume Root

    Expected signal: Sysmon Event ID 11: File Create for '<DriveLetter>:\thumb.dd' at the volume root. Sysmon Event ID 2 (if configured) or file attribute change events for the subsequent hidden/system attribute application.

  2. Test 2Simulate Same USB Serial Connecting to Multiple Hosts

    Expected signal: DeviceEvents ActionType=PnpDeviceConnected on both Host A and Host B with an AdditionalFields.DeviceId sharing the same terminal serial-number segment.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-USB-AirGapBridging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.