Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USB-AirGapBridging.

Upgrade to Pro
THREAT-USB-AirGapBridging IBM QRadar · QRadar

Detect Air-Gap Bridging Exfiltration via Shared USB Media in IBM QRadar

Adversaries targeting air-gapped or network-segmented environments (ICS/OT, classified enclaves, isolated research networks) cannot rely on a network-based C2 channel to move stolen data off the isolated segment. Instead, malware families such as Agent.btz (the 2008 'Buckshot Yankee' incident), APT28's USBStealer, Machete, and Tropic Trooper's USBferry write themselves and staged data to removable media, then rely on a human or an automated routine to carry that same physical device to a network-connected host where the data is uploaded to the adversary. The defining artifact of this technique is not a single suspicious file, but a single USB device — identifiable by its device serial number — appearing on two or more hosts within a short window, especially when at least one of those hosts sits in an isolated or restricted network segment. A secondary artifact is the drop of a hidden collector/beacon file at the removable volume's root, historically a file literally named thumb.dd in the Agent.btz case, or an autorun.inf-based launcher in older variants.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  hostname as Hostname, "SerialNumber" as USBSerial, "TargetFilename" as Artifact,
  COUNT(DISTINCT hostname) as HostCount
FROM events
WHERE ("TargetFilename" ILIKE '%thumb.dd' OR "TargetFilename" ILIKE '%autorun.inf'
       OR LOGSOURCETYPENAME(logsourceid) = 'Sysmon')
  AND devicetime > (NOW() - 259200000)
GROUP BY hostname, "SerialNumber", "TargetFilename", devicetime
HAVING HostCount >= 2 OR "TargetFilename" IS NOT NULL
ORDER BY HostCount DESC
high severity medium confidence

QRadar AQL query for detecting shared USB device serial numbers appearing across multiple hosts within a 72-hour window, combined with detection of the known Agent.btz-family hidden artifact filenames (thumb.dd, autorun.inf) at a removable volume root.

Data Sources

Windows Sysmon Events via WinCollectWindows Security Event Log (Event ID 6416) via WinCollect

Required Tables

events

False Positives & Tuning

  • IT-managed shared imaging or backup rotation USB drives
  • Legacy hardware installer media shipping autorun.inf

Other platforms for THREAT-USB-AirGapBridging


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Hidden Collector Artifact Drop at Removable Volume Root

    Expected signal: Sysmon Event ID 11: File Create for '<DriveLetter>:\thumb.dd' at the volume root. Sysmon Event ID 2 (if configured) or file attribute change events for the subsequent hidden/system attribute application.

  2. Test 2Simulate Same USB Serial Connecting to Multiple Hosts

    Expected signal: DeviceEvents ActionType=PnpDeviceConnected on both Host A and Host B with an AdditionalFields.DeviceId sharing the same terminal serial-number segment.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-USB-AirGapBridging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.