Behavioral sequence where removable media is mounted, files are written/updated, and subsequently read/executed on a separate host, suggesting removable-media relay communication.
| Data Component | Name | Channel |
|---|---|---|
| Drive Creation (DC0042) | WinEventLog:Microsoft-Windows-Partition/Diagnostic | EventCode=1006 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| RemovableDriveLetter | Adjust drive letters used in detection (e.g., E:, F:, G:) depending on enterprise usage. |
| WriteToReadTimeWindow | Tunable window for file write on one host followed by file read or execution on another (e.g., within 10 minutes). |
| FileNamePattern | Common naming schemes for payload, tasking, or exfil files (e.g., task.txt, beacon.log, data.bin). |
Detection of file write-access to USB-mount directories (e.g., /media/, /run/media/) followed by same-file access or execution on another host.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | write/open, FIM audit |
| Drive Creation (DC0042) | auditd:SYSCALL | Removable media mount notification |
| Field | Description |
|---|---|
| MountPathPattern | Typical mount paths to monitor (e.g., /media/usb*, /run/media/username/*). |
| TimeWindowBetweenHosts | Tunable detection window to correlate read/write between different hosts within a short interval (e.g., <15m). |
Correlates removable volume mounts (disk arbitration) with file I/O events on that volume, followed by same file execution shortly after insert.
| Data Component | Name | Channel |
|---|---|---|
| Drive Creation (DC0042) | macos:unifiedlog | com.apple.diskarbitration |
| File Creation (DC0039) | fs:fsusage | open/write/exec calls |
| Field | Description |
|---|---|
| VolumeNameFilter | Known suspicious USB volume labels or types (e.g., NO NAME, SECUREDATA). |
| ProcessContext | Unusual processes accessing USB drives (e.g., bash, Python, unsigned binaries). |