AN0248: Analytic 0248
Detection of file write-access to USB-mount directories (e.g., /media/, /run/media/) followed by same-file access or execution on another host.
Analyst context for executives and security teams
This analytic matters because it focuses on files moving through removable USB-mounted locations on Linux systems and then appearing or running on another host. For leaders, the decision value is not the USB detail itself; it is whether the organization can see and investigate removable-media movement that may bypass normal network, email, or cloud controls.
Executive priority
Prioritize this as an operational visibility and incident-response readiness question for Linux environments: do teams have evidence of writes to common USB mount paths such as /media/ and /run/media/, and can they correlate that activity across hosts when the same file is later accessed or executed? This can support control validation, audit evidence for removable media governance, and faster triage when physical media is part of an incident.
Technical view
SOC and detection teams should validate Linux telemetry that records file writes under USB-mount directories and can correlate file identity across endpoints when the same file is later accessed or executed. Because the official object provides no detection logic and no tactic mapping, implementation should be treated as an analytic pattern rather than a complete rule. Key engineering decisions include how to identify the same file across hosts, how to distinguish benign administrative or user USB use, and how long to retain endpoint file metadata for cross-host correlation.
Likely telemetry
- Linux endpoint file write events for paths such as /media/ and /run/media/
- File access and file execution telemetry on Linux hosts
- File metadata suitable for correlation, such as path, filename, size, timestamps, and where available hashes
- Host identity, user identity, and device/session context for both the source and later-accessing host
- Removable media mount activity or filesystem mount records, where collected
Detection direction
- Confirm that Linux endpoint monitoring captures file writes in common USB mount directories rather than only process starts or network events.
- Correlate a write to removable-media paths with later same-file access or execution on a different host; tune correlation around reliable file identifiers available in the environment.
- Baseline legitimate removable-media workflows, such as IT support, imaging, backups, lab systems, or approved data transfer, to reduce false positives.
- Validate retention windows, because delayed movement between hosts may be missed if endpoint file telemetry is short-lived.
- Treat alerts as triage leads requiring local context, since ATT&CK provides no official detection logic, threshold, tactic, or relationship context for this analytic.
Mitigation priorities
- Establish or review removable media policy for Linux systems, including where USB use is allowed and how exceptions are approved.
- Ensure endpoint logging and monitoring cover Linux removable-media mount paths and cross-host file correlation needs.
- Limit USB/removable media use on systems where business operations do not require it, using approved administrative controls where available.
- Require incident response playbooks to preserve file metadata, host context, and user context when removable media movement is suspected.
- Use findings from detection validation to support compliance evidence and to prioritize control improvements for high-risk Linux assets.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0248, for Linux. It describes detecting file write-access to USB-mount directories followed by same-file access or execution on another host. No relationship context, tactic mapping, or official detection implementation was supplied, so this take frames practical validation questions rather than a finished detection rule.
This assessment is limited to the supplied official STIX fields and external reference. It does not establish adversary attribution, active exploitation, impact, or guaranteed detectability. Local endpoint telemetry quality, file identity strategy, approved USB workflows, and retention periods will determine whether this analytic is feasible and useful.
Analytic 0248
Detection of file write-access to USB-mount directories (e.g., /media/, /run/media/) followed by same-file access or execution on another host.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b443fa5c09b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0248Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.