Keypoints
- Adversaries inspect connected removable media to find valuable files quickly.
- Collection can use interactive shells, built-in OS tools, or remote access tools.
- Automated scripts or scheduled jobs may scan and copy files from media.
- Detect by monitoring command-line arguments, process behavior, and file I/O.
- Prevention and response require endpoint controls, device restrictions, and logging.
Description:
- Like a thief rifling through a travelerβs suitcase at an airport, attackers browse connected USBs or discs on a compromised machine to find anything worth taking.
- Attackers locate and copy files from removable media using shells, OS utilities (PowerShell, WMI), or automated tools to collect sensitive data for later exfiltration; this enables rapid harvesting of credentials, documents, and intellectual property and matters because it bypasses network-only detection and can occur before broader data discovery.
Detection:
- Log and alert on process launches that access removable-media mount points (e.g., drive letters on Windows, /media or /mnt on Linux/macOS).
- Monitor command-line arguments for tools like cmd.exe, PowerShell, wmic, bash, and remote administration agents when they reference removable volumes or file copy commands.
- Instrument file-access logging (OS auditd on Linux, Windows File Auditing, FSEvents on macOS) to detect bulk reads or unusual file open patterns on removable devices.
- Inspect remote access tool telemetry for API calls that query volume information or use Windows API file enumeration on removable media.
- Use endpoint detection tools to flag high-volume file reads followed by compression or staging activity in temporary directories.
- Watch for creation of archives or containers (ZIP, RAR, 7z) immediately after removable media access as an indicator of collection for exfiltration.
- Mitigate false positives by baseline normal removable-media usage per user or host and tune alerts for deviations; combine file-access, process, and network indicators for reliable detection.
Tactics:
Collection
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Access
Relationship Citations:
(Citation: Kaspersky TajMahal April 2019),(Citation: ESET InvisiMole June 2020),(Citation: Talos Oblique RAT March 2021),(Citation: Palo Alto Gamaredon Feb 2017),(Citation: Symantec Waterbug Jun 2019),(Citation: ESET EvasivePanda 2023),(Citation: Malwarebytes Kimsuky June 2021),(Citation: F-Secure Cosmicduke),(Citation: ESET Turla PowerShell May 2019),(Citation: ESET Crutch December 2020),(Citation: Palo Alto Rover),(Citation: Kaspersky Transparent Tribe August 2020),(Citation: ESET Operation Groundbait),(Citation: ESET Machete July 2019),(Citation: Cylance Machete Mar 2017),(Citation: Talos GravityRAT),(Citation: ESET Gamaredon June 2020),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: Microsoft SIR Vol 19),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: Eset Ramsay May 2020),(Citation: CheckPoint Volatile Cedar March 2015),(Citation: TrendMicro Patchwork Dec 2017),(Citation: Symantec Crambus OCT 2023),(Citation: FireEye APT30),(Citation: CheckPoint Naikon May 2020),(Citation: ESET Sednit USBStealer 2014),(Citation: Kaspersky Sofacy),(Citation: KISA Operation Muzabi),(Citation: Proofpoint Operation Transparent Tribe March 2016),
Read More: https://attack.mitre.org/techniques/T1025