Ctrl+K

T1025 - Data from Removable Media

T1025 - Data from Removable Media#

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Monitor processes and command-line arguments for actions that could be taken to collect files from a system’s connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Shield Active Defense#

Pocket Litter#

Place data on a system to reinforce the legitimacy of the system or user.

Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user’s computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).

Opportunity#

In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary’s behaviors, test their interest in specific topics, or add legitimacy to a system or environment.

Use Case#

A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.

Procedures#

When staging a decoy system and user account, populate a user’s folders and web history to make it look realistic to an adversary. Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.

Contents