AN0617: Analytic 0617
Detects USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes.
Analyst context for executives and security teams
This analytic is about spotting a Linux host where a USB block device is mounted and then used in a pattern that touches sensitive directories or performs unusually large copy activity. For leaders, the practical issue is not just “USB was inserted”; it is whether removable media could become an unmanaged path for data movement outside normal identity, cloud, network, or endpoint controls.
Executive priority
Prioritize this where Linux systems hold sensitive data, support regulated operations, or are physically accessible to users, administrators, contractors, or shared operations staff. The decision value is in confirming whether the organization can prove when removable storage was connected, who used it, what sensitive paths were accessed, and whether high-volume copying occurred. This supports incident response scoping, insider-risk investigations, compliance evidence, and removable-media control decisions.
Technical view
For SOC, detection engineering, and IR teams, validate correlation on Linux between USB block device mount events and subsequent user-controlled process activity involving sensitive directories or high-volume file copy behavior. Because no ATT&CK detection logic or relationship context is supplied, teams should treat AN0617 as an analytic pattern to implement and tune locally rather than a complete rule. Key engineering questions include how mounts are logged, how file access is audited, how sensitive directories are defined, how copy volume is measured, and how user/process attribution is preserved.
Likely telemetry
- Linux block device and USB insertion events
- Mount and unmount events for removable block devices
- Process execution metadata for user-controlled copy, archive, shell, or file-management activity
- File access events for sensitive directories
- File read/write volume or count over time
Detection direction
- Correlate USB block device mount events with nearby file access or copy activity by the same user, session, host, or process tree.
- Define and maintain the sensitive directory list locally; generic path lists may miss business-critical data locations.
- Tune high-volume copy thresholds by host role to reduce noise from legitimate backup, imaging, administrator, or maintenance workflows.
- Preserve process lineage so analysts can distinguish interactive user activity from scheduled system activity.
- Validate coverage on Linux endpoints specifically; this analytic does not provide support for other platforms.
Mitigation priorities
- Establish policy and technical controls for removable storage use on Linux systems that handle sensitive data.
- Limit access to sensitive directories through least privilege and audited administrative workflows.
- Disable or restrict USB mass-storage use where business operations do not require it.
- Require centralized collection of mount, process, and file-access telemetry before relying on this analytic for response decisions.
- Document approved removable-media exceptions to support SOC triage and compliance review.
Analyst notes and limits
AN0617 is a detection analytic in the enterprise ATT&CK domain for Linux. The supplied official description is narrow: USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes. No tactics, technique relationships, adversary usage, or official detection logic were supplied, so this take focuses on defensive validation and operational decision value.
The object provides no official detection implementation, no related techniques, no tactic mapping, and no relationship context. Any assessment of risk, coverage, false positives, or priority must be validated against local Linux logging, removable-media policy, sensitive data locations, and business-approved USB workflows.
Analytic 0617
Detects USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6eedebf0c34… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0617Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.