Detection of Data Access and Collection from Removable Media

ID: DET0511

Domains: Enterprise

Analytics: AN1410, AN1411, AN1412

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Live Version

Analytics

Adversary mounts a USB device and begins enumerating, copying, or compressing files using scripting engines, cmd, or remote access tools.

Field	Description
VolumeLabel	Can tune based on known removable device labels or whitelist
TimeWindow	Controls timing between device mount and sensitive file access
TargetFileType	Tune for sensitive file extensions (e.g., .docx, .pdf, .csv)

Adversary mounts external drive to /media or /mnt then accesses or copies targeted data via shell, cp, or tar.

Field	Description
MountPathRegex	Filter for unexpected or user-defined mount locations (e.g., /media/usb*)
AccessMask	Tune based on read/write access types seen during collection

Adversary attaches USB drive and accesses sensitive files using Finder, cp, or bash scripts.

Data Component	Name	Channel
Drive Creation (DC0042)	macos:unifiedlog	log stream --predicate 'eventMessage contains "USBMSC"'
File Access (DC0055)	fs:fsusage	file reads/writes from /Volumes/
Process Creation (DC0032)	macos:osquery	process_events

Field	Description
VolumePath	Tune by filtering removable media mounted under /Volumes
UserContext	Correlate activity to admin or service accounts for priority