Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-USB-AirGapBridging.
Upgrade to ProDetect Air-Gap Bridging Exfiltration via Shared USB Media in IBM QRadar
Adversaries targeting air-gapped or network-segmented environments (ICS/OT, classified enclaves, isolated research networks) cannot rely on a network-based C2 channel to move stolen data off the isolated segment. Instead, malware families such as Agent.btz (the 2008 'Buckshot Yankee' incident), APT28's USBStealer, Machete, and Tropic Trooper's USBferry write themselves and staged data to removable media, then rely on a human or an automated routine to carry that same physical device to a network-connected host where the data is uploaded to the adversary. The defining artifact of this technique is not a single suspicious file, but a single USB device — identifiable by its device serial number — appearing on two or more hosts within a short window, especially when at least one of those hosts sits in an isolated or restricted network segment. A secondary artifact is the drop of a hidden collector/beacon file at the removable volume's root, historically a file literally named thumb.dd in the Agent.btz case, or an autorun.inf-based launcher in older variants.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
hostname as Hostname, "SerialNumber" as USBSerial, "TargetFilename" as Artifact,
COUNT(DISTINCT hostname) as HostCount
FROM events
WHERE ("TargetFilename" ILIKE '%thumb.dd' OR "TargetFilename" ILIKE '%autorun.inf'
OR LOGSOURCETYPENAME(logsourceid) = 'Sysmon')
AND devicetime > (NOW() - 259200000)
GROUP BY hostname, "SerialNumber", "TargetFilename", devicetime
HAVING HostCount >= 2 OR "TargetFilename" IS NOT NULL
ORDER BY HostCount DESC QRadar AQL query for detecting shared USB device serial numbers appearing across multiple hosts within a 72-hour window, combined with detection of the known Agent.btz-family hidden artifact filenames (thumb.dd, autorun.inf) at a removable volume root.
Data Sources
Required Tables
False Positives & Tuning
- IT-managed shared imaging or backup rotation USB drives
- Legacy hardware installer media shipping autorun.inf
Other platforms for THREAT-USB-AirGapBridging
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Hidden Collector Artifact Drop at Removable Volume Root
Expected signal: Sysmon Event ID 11: File Create for '<DriveLetter>:\thumb.dd' at the volume root. Sysmon Event ID 2 (if configured) or file attribute change events for the subsequent hidden/system attribute application.
- Test 2Simulate Same USB Serial Connecting to Multiple Hosts
Expected signal: DeviceEvents ActionType=PnpDeviceConnected on both Host A and Host B with an AdditionalFields.DeviceId sharing the same terminal serial-number segment.
References (6)
- https://attack.mitre.org/techniques/T1052/001/
- https://www.wired.com/2010/08/insider-threat-2/
- https://www.cisa.gov/news-events/cybersecurity-advisories
- https://attack.mitre.org/software/S0092/
- https://attack.mitre.org/software/S0136/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1052.001/T1052.001.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-USB-AirGapBridging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.