Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USB-AirGapBridging.
Upgrade to ProAir-Gap Bridging Exfiltration via Shared USB Media
Adversaries targeting air-gapped or network-segmented environments (ICS/OT, classified enclaves, isolated research networks) cannot rely on a network-based C2 channel to move stolen data off the isolated segment. Instead, malware families such as Agent.btz (the 2008 'Buckshot Yankee' incident), APT28's USBStealer, Machete, and Tropic Trooper's USBferry write themselves and staged data to removable media, then rely on a human or an automated routine to carry that same physical device to a network-connected host where the data is uploaded to the adversary. The defining artifact of this technique is not a single suspicious file, but a single USB device — identifiable by its device serial number — appearing on two or more hosts within a short window, especially when at least one of those hosts sits in an isolated or restricted network segment. A secondary artifact is the drop of a hidden collector/beacon file at the removable volume's root, historically a file literally named thumb.dd in the Agent.btz case, or an autorun.inf-based launcher in older variants.
What is THREAT-USB-AirGapBridging Air-Gap Bridging Exfiltration via Shared USB Media?
Air-Gap Bridging Exfiltration via Shared USB Media (THREAT-USB-AirGapBridging) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.
This page provides production-ready detection logic for Air-Gap Bridging Exfiltration via Shared USB Media, covering the data sources and telemetry it touches: Drive: Drive Creation, File: File Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
// Signal 1: the same physical USB storage device (identified by the device serial
// embedded in its PnP DeviceId) connects to two or more distinct hosts within 72 hours
let SameSerialMultiHost = DeviceEvents
| where Timestamp > ago(72h)
| where ActionType == "PnpDeviceConnected"
| where AdditionalFields has "USB"
| extend DeviceIdField = tostring(parse_json(AdditionalFields).DeviceId)
| extend DeviceClass = tostring(parse_json(AdditionalFields).ClassName)
| where DeviceClass in~ ("DiskDrive", "USBSTOR", "USB") or DeviceIdField has "USBSTOR"
| extend USBSerial = tostring(split(DeviceIdField, "\\")[-1])
| where isnotempty(USBSerial) and USBSerial != "0"
| summarize ConnectedHosts = make_set(DeviceName), HostCount = dcount(DeviceName),
FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
by USBSerial
| where HostCount >= 2
| mv-expand ConnectedHosts to typeof(string);
// Signal 2: a hidden collector/launcher artifact written to the removable volume root —
// thumb.dd is the documented Agent.btz artifact name; autorun.inf covers older
// auto-execution variants (USBStealer, Machete, USBferry)
let HiddenDropperArtifact = DeviceFileEvents
| where Timestamp > ago(72h)
| where ActionType == "FileCreated"
| where FileName in~ ("thumb.dd", "autorun.inf")
| where FolderPath matches regex @"^[D-Z]:\\$"
| project DeviceName, ArtifactTime = Timestamp, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// High-confidence: the shared-serial device also produced a hidden root artifact
// on at least one of the hosts it connected to
let CorrelatedBridging = SameSerialMultiHost
| join kind=inner (HiddenDropperArtifact) on $left.ConnectedHosts == $right.DeviceName
| extend Signal = "SharedUSBWithHiddenArtifact", RiskScore = 90
| project USBSerial, HostCount, ConnectedHosts, FirstSeen, LastSeen, ArtifactTime, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, Signal, RiskScore;
// Lower-confidence standalone signal: the same device on 3+ distinct hosts is
// unusual even without an observed hidden-file drop and warrants review
let MultiHostOnly = SameSerialMultiHost
| where HostCount >= 3
| extend Signal = "SameUSBAcrossThreeOrMoreHosts", RiskScore = 65
| extend ArtifactTime = LastSeen, FileName = "", FolderPath = "",
InitiatingProcessFileName = "", InitiatingProcessCommandLine = ""
| project USBSerial, HostCount, ConnectedHosts, FirstSeen, LastSeen, ArtifactTime, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, Signal, RiskScore;
union CorrelatedBridging, MultiHostOnly
| sort by RiskScore desc, HostCount desc Two-signal detection for air-gap bridging via shared USB media. The high-confidence signal correlates a single USB device (identified via the serial number embedded in its PnP DeviceId) connecting to two or more distinct hosts within 72 hours with a hidden root-level artifact drop (thumb.dd, autorun.inf) on at least one of those hosts — the documented Agent.btz/USBStealer/USBferry pattern for hopping across disconnected network segments. A lower-confidence standalone signal flags any USB device seen on three or more distinct hosts in the window even without an observed artifact drop, since this frequency is unusual for a personal device and warrants review in restricted environments.
Data Sources
Required Tables
False Positives
- IT-issued USB drives used for legitimate imaging, patching, or software deployment across multiple workstations by desktop support staff
- Shared USB drives used for sneakernet transfer of approved files between network segments as part of a documented, low-frequency business process
- USB backup drives rotated across multiple servers by backup administrators as part of a scheduled backup rotation
- Legacy or third-party hardware (printers, badge readers, kiosks) that legitimately ship an autorun.inf on their installer media
Sigma rule & cross-platform mapping
The detection logic for Air-Gap Bridging Exfiltration via Shared USB Media (THREAT-USB-AirGapBridging) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-USB-AirGapBridging
References (6)
- https://attack.mitre.org/techniques/T1052/001/
- https://www.wired.com/2010/08/insider-threat-2/
- https://www.cisa.gov/news-events/cybersecurity-advisories
- https://attack.mitre.org/software/S0092/
- https://attack.mitre.org/software/S0136/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1052.001/T1052.001.md
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Hidden Collector Artifact Drop at Removable Volume Root
Expected signal: Sysmon Event ID 11: File Create for '<DriveLetter>:\thumb.dd' at the volume root. Sysmon Event ID 2 (if configured) or file attribute change events for the subsequent hidden/system attribute application.
- Test 2Simulate Same USB Serial Connecting to Multiple Hosts
Expected signal: DeviceEvents ActionType=PnpDeviceConnected on both Host A and Host B with an AdditionalFields.DeviceId sharing the same terminal serial-number segment.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-USB-AirGapBridging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.