T1025 - Data from Removable Media
Description from ATT&CK (opens in a new tab)
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd (opens in a new tab) may be used to gather information.
Some adversaries may also use Automated Collection (opens in a new tab) on removable media.
Atomic Tests
Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics how adversaries might scan for sensitive documents on removable devices for exfiltration or analysis.
Supported Platforms: Windows
auto_generated_guid: 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
Attack Commands: Run with command_prompt!
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"