1. Home
  2. Detection Strategies
  3. Detection of Data Exfiltration via Removable Media

Detection of Data Exfiltration via Removable Media

Technique Detected:  Exfiltration Over Physical Medium | T1052

ID: DET0123
Domains: Enterprise
Analytics: AN0342, AN0343, AN0344
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0342

Detects removable drive insertion followed by unusual file access, compression, or staging activity by unauthorized users or unexpected processes.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Access (DC0055) WinEventLog:Security EventCode=4663
Drive Creation (DC0042) WinEventLog:System EventCode=1006,10001
Mutable Elements
Field Description
DriveTypeFilter Filter on removable (e.g., USB) drives only.
ProcessNameExclusionList Exclude known, approved backup or sync utilities.
TimeWindow Limit correlation of file access and device mount to a defined window (e.g., <5 minutes).

AN0343

Detects mounted external devices (via /media or /mnt) followed by large file read or copy operations by shell scripts, unauthorized users, or staging tools (e.g., tar, rsync).

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Drive Creation (DC0042) auditd:SYSCALL device event logs
Mutable Elements
Field Description
MountPointPattern Monitor mount points like /media, /mnt, or /run/media.
UserGroupScope Restrict detection to non-root or unexpected users.
AccessVolumeThreshold Alert on large file access or copy events.

AN0344

Detects mounting of external volumes followed by high-volume or sensitive file access via Finder, terminal, or third-party apps (e.g., rsync, zip).

Log Sources
Data Component Name Channel
Drive Creation (DC0042) macos:unifiedlog Volume Mount + File Read
File Access (DC0055) macos:osquery file_events
Command Execution (DC0064) fs:fsusage file system activity monitor
Mutable Elements
Field Description
VolumeNamePattern Detect suspicious or unrecognized drive labels (e.g., UNTITLED, BACKUP_VOL).
ProcessOrigin Detect CLI-based copy operations vs. expected GUI usage.
UserSessionCheck Alert if process and session context are mismatched (e.g., script from screensaver context).