Skip to content
Threat Feed
high advisory

Suspicious Execution from Mounted Device

This threat brief covers the detection of suspicious executables running from mounted devices, a common tactic used for defense evasion and malware deployment.

Attackers often leverage mounted devices (e.g., USB drives, network shares) to bypass security controls and execute malicious code. This technique is particularly effective because it can circumvent application whitelisting and other security measures that focus on local drives. The execution of binaries from these locations can indicate malicious activity, such as the deployment of malware, execution of rogue scripts, or unauthorized access to sensitive data. Detecting such executions is crucial for identifying and mitigating potential threats. The focus is on identifying unusual process creation events originating from removable or network drives, which deviate from normal system behavior. This brief provides detection rules to identify this activity.

Attack Chain

  1. An attacker gains initial access to a system (e.g., via phishing or compromised credentials).
  2. The attacker connects a malicious USB drive or mounts a network share containing malware.
  3. The attacker uses social engineering or exploits autorun features (if enabled) to trigger the execution of a malicious executable on the mounted device.
  4. The malicious executable (e.g., a .exe or .dll file) is launched, bypassing standard application whitelisting policies that may only monitor local drives.
  5. The executed malware establishes persistence, potentially by creating scheduled tasks or modifying registry keys.
  6. The malware performs malicious activities, such as data exfiltration, lateral movement, or ransomware deployment.
  7. The attacker leverages the compromised system to access other resources within the network.

Impact

Successful execution of malicious code from a mounted device can lead to a wide range of damaging outcomes. This includes data theft, system compromise, ransomware infection, and denial-of-service attacks. Organizations failing to detect this activity risk significant financial losses, reputational damage, and operational disruption. The impact can range from a single compromised workstation to a widespread network breach, depending on the attacker's objectives and the malware's capabilities.

Detection coverage 3

Execution from Removable Drive

high

Detects execution of programs from removable drives.

sigma tactics: defense_evasion techniques: T1027 sources: process_creation, windows

Execution from Network Share

medium

Detects execution of programs directly from a network share.

sigma tactics: defense_evasion techniques: T1027 sources: process_creation, windows

Suspicious Execution from Mounted Device via cmd.exe

medium

Detects execution of programs from mounted devices using cmd.exe, which can be a sign of malicious activity.

sigma tactics: defense_evasion, execution techniques: T1027, T1059.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →