AN0342: Analytic 0342
Detects removable drive insertion followed by unusual file access, compression, or staging activity by unauthorized users or unexpected processes.
Analyst context for executives and security teams
This analytic matters because removable media can create a direct path for data movement outside normal network controls. For leaders, the practical question is whether the organization can see a Windows removable drive insertion and quickly connect it to suspicious file access, compression, or staging by a user or process that should not be doing it.
Executive priority
Prioritize this as an evidence and response-readiness issue for environments where removable media is allowed, tolerated, or difficult to eliminate. Security leaders should confirm whether policy, logging, and SOC procedures can prove who inserted removable media, what files were accessed afterward, and whether unusual staging or compression occurred. This supports incident decision-making, compliance evidence, and operational resilience when removable media use is part of business operations.
Technical view
AN0342 is a Windows-focused detection analytic for correlating removable drive insertion with subsequent unusual file access, compression, or staging activity by unauthorized users or unexpected processes. SOC and detection engineering teams should validate that endpoint telemetry can link device insertion events to user context, process context, file access, and archive or staging behavior within a defensible time window. Because ATT&CK provides no official detection logic and no relationship context here, local baselining is required to define what counts as unauthorized, unexpected, or unusual.
Likely telemetry
- Windows removable storage or device insertion events
- Endpoint process creation and parent-child process context
- File access, file copy, and file modification activity on removable volumes
- Archive or compression utility execution and related command-line details where collected
- User identity, logon session, and host ownership context
Detection direction
- Validate correlation from removable drive insertion to follow-on file access, compression, or staging activity on the same Windows host and user session.
- Tune against approved business workflows, such as authorized administrators, backup processes, forensic collection, or sanctioned removable media use.
- Review whether expected processes are well-defined; unexpected process criteria will be weak without local baselines.
- Check blind spots where device insertion is logged but file activity, command-line detail, or user-session linkage is missing.
- Use the analytic as a triage trigger rather than a standalone conclusion, since the supplied ATT&CK object does not provide official detection logic or severity guidance.
Mitigation priorities
- Establish and enforce removable media policy before relying on detection alone.
- Limit removable media use to authorized users, approved devices, and documented business cases where feasible.
- Ensure Windows endpoint logging and endpoint security tooling capture device insertion, user context, process activity, and file activity needed for investigation.
- Create SOC playbooks for validating ownership, business justification, files touched, and whether compression or staging indicates potential data handling risk.
- Periodically test the control and logging path with authorized scenarios to confirm evidence is available for incident response and audit needs.
Analyst notes and limits
The object is a detection analytic, not a technique, and no ATT&CK tactics, relationships, or official detection procedure were supplied. The strongest value is in validating telemetry coverage and correlation quality for removable media events on Windows systems.
This take is limited to the official STIX fields, the MITRE external reference, and the stated description. It does not establish attacker intent, active exploitation, attribution, impact, or guaranteed detection. Local policy, asset criticality, user authorization, and normal removable media workflows are required to operationalize it.
Analytic 0342
Detects removable drive insertion followed by unusual file access, compression, or staging activity by unauthorized users or unexpected processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6676ec2fb744… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0342Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.