Suspicious Execution from Mounted Device
This threat brief covers the detection of suspicious executables running from mounted devices, a common tactic used for defense evasion and malware deployment.
Attackers often leverage mounted devices (e.g., USB drives, network shares) to bypass security controls and execute malicious code. This technique is particularly effective because it can circumvent application whitelisting and other security measures that focus on local drives. The execution of binaries from these locations can indicate malicious activity, such as the deployment of malware, execution of rogue scripts, or unauthorized access to sensitive data. Detecting such executions is crucial for identifying and mitigating potential threats. The focus is on identifying unusual process creation events originating from removable or network drives, which deviate from normal system behavior. This brief provides detection rules to identify this activity.
Attack Chain
- An attacker gains initial access to a system (e.g., via phishing or compromised credentials).
- The attacker connects a malicious USB drive or mounts a network share containing malware.
- The attacker uses social engineering or exploits autorun features (if enabled) to trigger the execution of a malicious executable on the mounted device.
- The malicious executable (e.g., a .exe or .dll file) is launched, bypassing standard application whitelisting policies that may only monitor local drives.
- The executed malware establishes persistence, potentially by creating scheduled tasks or modifying registry keys.
- The malware performs malicious activities, such as data exfiltration, lateral movement, or ransomware deployment.
- The attacker leverages the compromised system to access other resources within the network.
Impact
Successful execution of malicious code from a mounted device can lead to a wide range of damaging outcomes. This includes data theft, system compromise, ransomware infection, and denial-of-service attacks. Organizations failing to detect this activity risk significant financial losses, reputational damage, and operational disruption. The impact can range from a single compromised workstation to a widespread network breach, depending on the attacker's objectives and the malware's capabilities.
Detection coverage 3
Execution from Removable Drive
highDetects execution of programs from removable drives.
Execution from Network Share
mediumDetects execution of programs directly from a network share.
Suspicious Execution from Mounted Device via cmd.exe
mediumDetects execution of programs from mounted devices using cmd.exe, which can be a sign of malicious activity.
Detection queries are available on the platform. Get full rules →