# T1025 Data from Removable Media

-----------------------------------------------------------------------

## Technique Description

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. 

Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.

## Technique Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

### System Requirements:

  * Privileges to access removable media drive and files

### Data Sources:

  * **File:** File Access

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors can collect files from USB thumb drives.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)| 
| APT28 | An [APT28](https://attack.mitre.org/groups/G0007) backdoor may collect the entire contents of an inserted USB device.(Citation: Microsoft SIR Vol 19)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1025)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis


## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT 28, Turla | 1, 2 | |

- APT28 Malware - USBStealer exfiltrates collected files via removable media from air-gapped victims.
- APT28 and Turla may use RPC backdoors to automatically collect data from removable media.

## Detection Blindspots

- This requires a physical device to be plugged into a machine, making it very difficult to detect on the network.

## Analytical References

  * [Turla Powershell Usage (welivesecurity](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Miscrosoft Security Intelligence Report](http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf)
  * [How to disable autorun in windows (microsoft)](https://support.microsoft.com/en-us/help/967715/how-to-disable-the-autorun-functionality-in-windows)
  * https://attack.mitre.org/techniques/T1025/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor file access on removable media.
- Detect processes that execute when removable media are mounted.
- The presence of removable media can be found in various playbooks to include: T1092 (Communication Through Removable Media), T1025 (Data from Removable Media), and T1120 (Peripheral Device Discovery)
- If removable media is not allowed, then any event id that is generated for them is highly suspicious. Work with MP to determine this.
- Monitor processes & command-line arguments for actions that could be taken to collect files from a system's connected removable media.
- Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

#### Analytic 1 (APT 28, Turla)

  * **Information:** Monitor file access on removable media.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:4663 AND "Removable Storage"```
  
  * **Query:** ```Event_ID:4663 AND NOT object.name:"C:\*" AND object.type:File```

#### Analytic 2 (APT 28, Turla)

  * **Information:** Detect processes that execute from removable media after it is mounted or when initiated by a user.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Coordination with MP is needed to determine the standard drive that they use

  * **Query:** ```event_id:4688 AND NOT new.process.name:<normal drive in use>:*```
  
  



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

No network traffic for this event.

