T1025: Data from Removable Media
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Some adversaries may also use Automated Collection on removable media.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_collection: PT-CR-1012: Export_Certs: An attempt to export certificates or key containers
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
|---|
| ID | DS0022 | Data source and component | File: File Access | Description | Monitor for unexpected/abnormal file accesses to removable media (optical disk drive, USB memory, etc.) connected to the compromised system. |
|---|
Mitigation
| ID | M1057 | Name | Data Loss Prevention | Description | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
|---|