Adversaries may be exfiltrating data by copying files to external USB drives, which is a common tactic for data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts early.
KQL Query
let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices.
let TimespanInSeconds = 900; // Period of time between device insertion and file copy
let Connections =
DeviceEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)
| where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device';
DeviceFileEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\"
| join kind=inner Connections on DeviceId
| where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds
id: 34be41b9-eddf-43ca-b208-5b912937f496
name: Possible File Copy to USB Drive
description: |
This query searches for file copies which occur within a period of time (by default 15 min) to volumes other than the C drive or UNC shares. By default, this query will
search all devices. A single device can be specified by entering the DeviceName in the DeviceNameToSearch variable. Additionally, to change the period of time from when
the USB device was inserted, adjust the TimespanInSeconds value.
Happy hunting!
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceFileEvents
tactics:
- Collection
- Exfiltration
query: |
let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices.
let TimespanInSeconds = 900; // Period of time between device insertion and file copy
let Connections =
DeviceEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds)
| where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device';
DeviceFileEvents
| where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\"
| join kind=inner Connections on DeviceId
| where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Robocopy to transfer files between servers for backup purposes.
Filter/Exclusion: Exclude processes where the source or destination is a server volume (e.g., \\server\backup), or filter by process name robocopy.
Scenario: A user is copying files to a USB drive as part of a legitimate data migration task.
Filter/Exclusion: Exclude events where the user is authenticated as a member of the Data Migration security group, or filter by user account.
Scenario: A scheduled task (e.g., via Task Scheduler) is copying files to a USB drive for archival.
Filter/Exclusion: Exclude events where the process is initiated by a scheduled task (e.g., Task Scheduler or schtasks.exe).
Scenario: A virtual machine (VM) is copying files to a USB drive attached to the host machine for data transfer.
Filter/Exclusion: Exclude events where the source or destination is a VM volume (e.g., VMwareVM or VirtualBox-related paths), or filter by VM name.
Scenario: A third-party backup tool (e.g., Veeam, Acronis) is copying files to a USB drive for offsite storage.
Filter/Exclusion: Exclude events where the process is initiated by the backup tool’s executable (e.g., veeam.exe, acronisbackup.exe), or filter by process name.