Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USB-AirGapBridging.

Upgrade to Pro
THREAT-USB-AirGapBridging Elastic Security · Elastic

Detect Air-Gap Bridging Exfiltration via Shared USB Media in Elastic Security

Adversaries targeting air-gapped or network-segmented environments (ICS/OT, classified enclaves, isolated research networks) cannot rely on a network-based C2 channel to move stolen data off the isolated segment. Instead, malware families such as Agent.btz (the 2008 'Buckshot Yankee' incident), APT28's USBStealer, Machete, and Tropic Trooper's USBferry write themselves and staged data to removable media, then rely on a human or an automated routine to carry that same physical device to a network-connected host where the data is uploaded to the adversary. The defining artifact of this technique is not a single suspicious file, but a single USB device — identifiable by its device serial number — appearing on two or more hosts within a short window, especially when at least one of those hosts sits in an isolated or restricted network segment. A secondary artifact is the drop of a hidden collector/beacon file at the removable volume's root, historically a file literally named thumb.dd in the Agent.btz case, or an autorun.inf-based launcher in older variants.

MITRE ATT&CK

Tactic
Exfiltration

Elastic Detection Query

Elastic Security (Elastic)
eql
file where event.type == "creation" and
  file.name : ("thumb.dd", "autorun.inf") and
  file.path : ("D:\\*", "E:\\*", "F:\\*", "G:\\*") and
  not file.path : ("*\\*\\*")

/* Companion rule (run separately, requires host-correlation post-processing):
   any where event.category == "driver" and event.action == "device-connected" and
   device.type == "USB" */
high severity medium confidence

Detects the hidden collector artifact (thumb.dd, autorun.inf) written directly at a removable volume root — the primary on-device IOC for Agent.btz-family air-gap bridging malware. The companion PnP device-connection rule (commented) should be correlated post-hoc across hosts by device serial number to identify the same physical media appearing in multiple locations.

Data Sources

Elastic Endpoint SecurityElastic Agent (Endpoint Integration)

Required Tables

logs-endpoint.events.file-*

False Positives & Tuning

  • Legacy hardware installer media that legitimately ships an autorun.inf file
  • IT imaging or patch-deployment USB drives reused across multiple hosts as part of documented maintenance

Other platforms for THREAT-USB-AirGapBridging


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Hidden Collector Artifact Drop at Removable Volume Root

    Expected signal: Sysmon Event ID 11: File Create for '<DriveLetter>:\thumb.dd' at the volume root. Sysmon Event ID 2 (if configured) or file attribute change events for the subsequent hidden/system attribute application.

  2. Test 2Simulate Same USB Serial Connecting to Multiple Hosts

    Expected signal: DeviceEvents ActionType=PnpDeviceConnected on both Host A and Host B with an AdditionalFields.DeviceId sharing the same terminal serial-number segment.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-USB-AirGapBridging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.