AN0343: Analytic 0343
Detects mounted external devices (via /media or /mnt) followed by large file read or copy operations by shell scripts, unauthorized users, or staging tools (e.g., tar, rsync).
Analyst context for executives and security teams
This analytic matters because external media mounts followed by bulk file access can indicate data being collected, staged, copied, or moved outside normal workflows on Linux systems. For leaders, the practical question is whether the organization can distinguish approved removable-media use, backups, and administration from unusual large-scale reads or copies from /media or /mnt paths.
Executive priority
Prioritize this where Linux hosts store regulated data, operational data, source code, credentials, or other high-value files, or where removable media use is part of business operations. The decision value is in validating audit-ready evidence: which Linux systems allow external mounts, who is authorized to use them, whether large file movement is logged, and whether the SOC can triage this activity quickly without relying on user reports.
Technical view
The supplied analytic is Linux-focused and looks for mounted external devices under /media or /mnt followed by large file read or copy activity by shell scripts, unauthorized users, or staging tools such as tar and rsync. SOC and detection teams should validate whether endpoint, process, filesystem, and mount telemetry can correlate mount events with subsequent high-volume file reads or copy/archive commands. Because no ATT&CK tactic or official detection logic is supplied, local tuning should define what counts as 'large,' which users and scripts are authorized, and which backup or administration workflows are expected.
Likely telemetry
- Linux mount activity and mounted path evidence for /media and /mnt
- Process execution telemetry for shell scripts and tools such as tar and rsync
- Command-line arguments showing source paths, destination paths, archive creation, or recursive copy behavior
- File access or filesystem monitoring showing high-volume reads or copies from mounted external device paths
- User identity and session context for the account initiating mount or file movement activity
Detection direction
- Correlate new or existing mounts under /media or /mnt with near-term bulk file reads, copies, archives, or synchronization activity.
- Tune thresholds for 'large file read or copy operations' based on host role, normal backup patterns, engineering workflows, and removable-media policies.
- Maintain allowlists or expected-use models for authorized users, scheduled jobs, backup scripts, and administrative tools to reduce false positives.
- Treat shell-script-driven copying and tar or rsync activity from mounted external paths as higher-priority when the initiating user is not approved for removable-media workflows.
- Validate blind spots: hosts without process command-line logging, filesystem monitoring, mount logging, or identity/session attribution may not support this analytic reliably.
Mitigation priorities
- Define and enforce policy for removable-media use on Linux systems, especially systems holding sensitive or operationally critical data.
- Restrict mount permissions and file access to approved users and administrative workflows where business requirements allow.
- Ensure logging is enabled for mount events, process execution, command lines, and relevant file access patterns before relying on this analytic for SOC coverage.
- Document authorized backup, synchronization, and data-transfer workflows so detection engineering can tune alerts and incident responders can triage quickly.
- Use asset classification and data sensitivity to prioritize rollout and alert severity for Linux systems where bulk copying would create the greatest business or compliance risk.
Analyst notes and limits
This object is a detection analytic rather than a technique, and the official description is the primary source of content. No relationship context, tactic mapping, or official detection query was supplied. Glexia interprets the value of the analytic as a validation point for Linux removable-media and bulk file-movement monitoring, not as evidence of any specific threat actor or campaign.
The source does not provide detection logic, thresholds, data-source requirements, tactic context, or related ATT&CK techniques. Effectiveness depends on local Linux logging, endpoint visibility, identity attribution, asset criticality, and an organization-specific definition of authorized removable-media and bulk-copy behavior.
Analytic 0343
Detects mounted external devices (via /media or /mnt) followed by large file read or copy operations by shell scripts, unauthorized users, or staging tools (e.g., tar, rsync).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 883594b078b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0343Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.