Skip to content
Atomic Red Team
atomics
T1025

T1025 - Data from Removable Media

Description from ATT&CK (opens in a new tab)

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd (opens in a new tab) may be used to gather information.

Some adversaries may also use Automated Collection (opens in a new tab) on removable media.

Atomic Tests


Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell

This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.

Supported Platforms: Windows

auto_generated_guid: 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e

Attack Commands: Run with command_prompt!

powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"