Adversaries may be exfiltrating data by copying files to USB drives, leveraging the FileCreated events in conjunction with recent USB drive mount activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration attempts that bypass traditional network-based detection mechanisms.
KQL Query
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc
id: fc2c5bbb-5347-4903-87e6-c2c76c43e420
name: Files copied to USB drives
description: |
This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceFileEvents
tactics:
- Exfiltration
query: |
let UsbDriveMount = DeviceEvents
| where ActionType=="UsbDriveMounted"
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=Timestamp,
ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer
| order by DeviceId asc, MountTime desc;
let FileCreation = DeviceFileEvents
| where InitiatingProcessAccountName != "system"
| where ActionType == "FileCreated"
| where FolderPath !startswith "C:\\"
| where FolderPath !startswith "\\"
| project ReportId,DeviceId,InitiatingProcessAccountDomain,
InitiatingProcessAccountName,InitiatingProcessAccountUpn,
FileName, FolderPath, SHA256, Timestamp, SensitivityLabel, IsAzureInfoProtectionApplied
| order by DeviceId asc, Timestamp desc;
FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId
| where FolderPath startswith DriveLetter
| where Timestamp >= MountTime
| partition hint.strategy=native by ReportId ( top 1 by MountTime )
| order by DeviceId asc, Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: System Restore or Backup Job Copies Files to USB Drive
Description: A scheduled backup or system restore task copies files to a USB drive as part of a routine maintenance process.
Filter/Exclusion: Exclude files created by system restore tools (e.g., wbadmin, vssadmin) or backup software (e.g., Acronis, Veeam) using process name or command line arguments.
Scenario: Admin Task for Data Migration to External Storage
Description: An administrator uses a script or tool (e.g., Robocopy, rsync, or scp) to transfer files to a USB drive for offsite storage or archiving.
Filter/Exclusion: Exclude files created by known administrative tools or scripts using process name, command line, or user context (e.g., Administrator or SYSTEM).
Scenario: User Copies Files to USB Drive for Personal Use
Description: A user manually transfers files to a USB drive for personal use (e.g., transferring documents to a personal device).
Filter/Exclusion: Exclude files created by user-initiated actions using user context (e.g., User1) or file paths that match known personal storage locations (e.g., C:\Users\User1\Documents).
Scenario: USB Drive Used for Software Installation
Description: A USB drive is used to install software on multiple machines, and the installation process copies files to the drive during setup.
Filter/Exclusion: Exclude files created by known installation tools (e.g., setup.exe, install.exe) or by USB-based deployment tools (e.g., PDQ Deploy, Microsoft Endpoint Configuration Manager).
Scenario: USB Drive Used for Temporary File Storage
Description: A USB drive is used as temporary storage for files during a