DET0301 Removable Media Execution Chain Detection via File and Process Activity

Item	Value
ID	DET0301
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1091 (Replication Through Removable Media)

Analytics

Windows

AN0841

Execution of files originating from removable media after drive mount, with correlation to file write activity, autorun usage, or lateral spread via staged tools.

Log Sources

Data Component	Name	Channel
Drive Creation (DC0042)	WinEventLog:System	EventCode=1006
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Access (DC0055)	WinEventLog:Microsoft-Windows-Windows Defender/Operational	Suspicious file execution on removable media path

Mutable Elements

Field	Description
DriveLetterMatch	Detect activity on mounted drives typically used by USB (e.g., E:, F:, G:). Tune based on enterprise usage.
FileExecutionWindow	Set timing threshold for execution shortly after drive mount (e.g., < 5 minutes).
ParentProcess	Restrict detection to suspicious process lineage like explorer.exe, powershell.exe, or unsigned binaries.
FileEntropy	Use entropy thresholding to detect packed/obfuscated payloads dropped to removable media.