Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Some adversaries may also use Automated Collection on removable media.
FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.
|M1057||Data Loss Prevention||
Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Monitor for unexpected/abnormal file accesses to removable media (optical disk drive, USB memory, etc.) connected to the compromised system.