Execution of files originating from removable media after drive mount, with correlation to file write activity, autorun usage, or lateral spread via staged tools.
| Data Component | Name | Channel |
|---|---|---|
| Drive Creation (DC0042) | WinEventLog:Microsoft-Windows-Partition/Diagnostic | EventCode=1006 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Access (DC0055) | WinEventLog:Microsoft-Windows-Windows Defender/Operational | Suspicious file execution on removable media path |
| Field | Description |
|---|---|
| DriveLetterMatch | Detect activity on mounted drives typically used by USB (e.g., E:, F:, G:). Tune based on enterprise usage. |
| FileExecutionWindow | Set timing threshold for execution shortly after drive mount (e.g., < 5 minutes). |
| ParentProcess | Restrict detection to suspicious process lineage like explorer.exe, powershell.exe, or unsigned binaries. |
| FileEntropy | Use entropy thresholding to detect packed/obfuscated payloads dropped to removable media. |