Skip to content

DET0733 Detection of Replication Through Removable Media

Item Value
ID DET0733
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T0847 (Replication Through Removable Media)

Analytics

ICS

AN1866

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. Monitor for newly constructed files copied to or from removable media. Monitor for newly constructed drive letters or mount points to removable media. Monitor for files accessed on removable media, particularly those with executable content.

Log Sources
Data Component Name Channel
Process Creation (DC0032) Process None
File Creation (DC0039) File None
Drive Creation (DC0042) Drive None
File Access (DC0055) File None
Mutable Elements
Field Description