Skip to content

DET0511 Detection of Data Access and Collection from Removable Media

Item Value
ID DET0511
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1025 (Data from Removable Media)

Analytics

Windows

AN1410

Adversary mounts a USB device and begins enumerating, copying, or compressing files using scripting engines, cmd, or remote access tools.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Drive Creation (DC0042) WinEventLog:System EventCode=2003
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
VolumeLabel Can tune based on known removable device labels or whitelist
TimeWindow Controls timing between device mount and sensitive file access
TargetFileType Tune for sensitive file extensions (e.g., .docx, .pdf, .csv)

Linux

AN1411

Adversary mounts external drive to /media or /mnt then accesses or copies targeted data via shell, cp, or tar.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read, mount
Drive Creation (DC0042) journald:systemd udisks2 or udevd logs
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
MountPathRegex Filter for unexpected or user-defined mount locations (e.g., /media/usb*)
AccessMask Tune based on read/write access types seen during collection

macOS

AN1412

Adversary attaches USB drive and accesses sensitive files using Finder, cp, or bash scripts.

Log Sources
Data Component Name Channel
Drive Creation (DC0042) macos:unifiedlog log stream –predicate ‘eventMessage contains “USBMSC”’
File Access (DC0055) fs:fsusage file reads/writes from /Volumes/
Process Creation (DC0032) macos:osquery process_events
Mutable Elements
Field Description
VolumePath Tune by filtering removable media mounted under /Volumes
UserContext Correlate activity to admin or service accounts for priority