title: Data from Removable Media (T1025)
id: df00tech-t1025
status: experimental
description: "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to exfiltration. Threat actors including APT28, Gamaredon Group, and OilRig have leveraged this technique. Malware families such as USBStealer, GravityRAT, Rover, Crimson, Crutch, and BADNEWS implement automated USB harvesting — copying files matching predefined extension lists (documents, credentials, archives) to staging directories for later exfiltration."
references:
  - https://attack.mitre.org/techniques/T1025/
  - https://df00tech.com/detections/T1025
author: df00tech
date: 2026/04/13
tags:
  - attack.t1025
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate backup software (Acronis, Veeam, Windows Backup) reading files from external USB drives or backup volumes assigned non-C: drive letters"
  - Software developers or IT staff intentionally copying project files from USB drives for deployment or archiving
  - "CD/DVD optical drives assigned D: or E: letters accessed for legitimate software installation or media playback"
  - Secondary internal hard drives or partitions assigned drive letters in the D-Z range during normal file access or synchronization
  - Automated DLP (Data Loss Prevention) agents that perform file scanning on all connected drives as part of policy enforcement
level: high