Exfiltration over USB
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor file access on removable media. Detect processes that execute when removable media are mounted.