1. Home
  2. Detection Strategies
  3. Detection of USB-Based Data Exfiltration

Detection of USB-Based Data Exfiltration

Technique Detected:  Exfiltration over USB | T1052.001

ID: DET0220
Domains: Enterprise
Analytics: AN0616, AN0617, AN0618
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0616

Detects USB device insertion followed by high-volume or sensitive file access and staging activity by suspicious processes or accounts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Access (DC0055) WinEventLog:Security EventCode=4663
Drive Creation (DC0042) WinEventLog:System EventCode=2003
Mutable Elements
Field Description
SensitiveFilePathRegex Match data staging or export paths (e.g., *.docx, *.csv, *.db) to USB volume letters.
UserContext Limit to users who do not normally use removable devices (e.g., service accounts).
TimeWindow Correlate events within a short period following USB insert (e.g., 5–10 minutes).

AN0617

Detects USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read
Drive Creation (DC0042) auditd:SYSCALL Kernel Device Events - USB Block Devices
Mutable Elements
Field Description
MountPath Look for /media/, /mnt/, /run/media/ paths associated with removable storage.
CopyCommandSignature Detect rsync, cp, tar, zip activity writing to USB mount point.
AccessRateThreshold Define abnormal access patterns (e.g., >100 files in <5 min).

AN0618

Detects external volume mount with Finder, Terminal, or script-initiated file copy from user profiles, sensitive folders, or cloud storage sync directories to USB.

Log Sources
Data Component Name Channel
Drive Creation (DC0042) macos:unifiedlog Volume Mount + Process Trace + File Read
File Access (DC0055) fs:fsusage Disk Activity Tracing
Process Creation (DC0032) macos:osquery process_events
Mutable Elements
Field Description
DriveLabelFilter Flag removable volumes with suspicious or default names (e.g., NO NAME, BACKUP_01).
ScriptExecutionContext Watch for shell or AppleScript execution tied to USB copy.
VolumeMountFrequency Detect repeated or abnormal device mounts during work hours.