Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1410: Analytic 1410

Adversary mounts a USB device and begins enumerating, copying, or compressing files using scripting engines, cmd, or remote access tools.

EnterpriseAN1410AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because removable media activity can turn a normal Windows endpoint event into a data-handling, insider-risk, or incident-response decision point. The supplied ATT&CK description focuses on a USB device being mounted followed by file enumeration, copying, or compression through scripting engines, cmd, or remote access tools. For leaders, the value is not just detecting a USB insertion; it is proving whether the organization can distinguish routine removable-media use from activity that may indicate unauthorized collection or preparation of files for movement.

Executive priority

Treat this as a control-validation item for Windows endpoint monitoring, removable media governance, and incident readiness. Security leaders should ask whether the business permits USB storage, where exceptions exist, whether endpoint telemetry can connect USB mount events to subsequent file and process activity, and whether SOC playbooks define when to escalate possible data collection behavior. This is especially relevant for compliance evidence and operational resilience where sensitive data may exist on endpoints and removable media use is allowed or only partially restricted.

Technical view

For SOC, detection engineering, and IR teams, validate whether Windows telemetry can correlate a USB mount with near-term use of scripting engines, cmd, or remote access tools performing file enumeration, copying, or compression. Because the official ATT&CK object provides no detection logic and no relationship context, teams should build local analytics around event correlation rather than relying on a single event type. Key validation questions include: can analysts identify the mounted removable device, the user/session, the initiating process tree, accessed file paths, copy/archive activity, and whether a remote access tool was involved? Tune carefully for legitimate administrative backup, helpdesk, engineering, legal, and data-transfer workflows.

Likely telemetry

  • Windows removable device mount or storage device connection events
  • Endpoint process creation telemetry for scripting engines, cmd, compression utilities, and remote access tools
  • File system telemetry showing enumeration, reads, copies, archive creation, or bulk access patterns
  • User and logon/session context associated with the device mount and subsequent processes
  • Endpoint security or EDR process tree and command-line metadata where available

Detection direction

  • Correlate USB mount activity with subsequent file enumeration, copying, or compression on the same Windows host and user/session.
  • Prioritize process lineage: identify whether scripting engines, cmd, or remote access tools initiated or orchestrated file operations after the device mount.
  • Baseline legitimate removable-media workflows to reduce false positives from approved backup, imaging, diagnostics, or file-transfer activity.
  • Look for concentration of activity against sensitive directories or unusually large/broad file access after removable media insertion, if local telemetry supports it.
  • Validate blind spots: missing command-line capture, lack of file telemetry, unmanaged remote access tools, disabled device-control logging, and endpoints not covered by EDR.

Mitigation priorities

  • Define and enforce removable media policy for Windows endpoints, including approved use cases and exception handling.
  • Use device control or endpoint policy to restrict unauthorized USB storage where business requirements allow.
  • Ensure endpoint logging captures device mount, process creation, command-line, and relevant file activity needed for correlation.
  • Limit and monitor scripting engine, cmd, compression utility, and remote access tool usage according to role and administrative need.
  • Create SOC triage guidance for USB-plus-file-activity alerts, including user validation, device identification, data sensitivity review, and containment criteria.
Analyst notes and limits

The supplied object is a detection analytic for Windows only. It describes a behavior pattern but provides no official detection logic, no tactics, and no relationships to techniques, groups, software, mitigations, or data sources. The most defensible use is as a prompt to validate whether local telemetry can connect removable device activity with file collection-like behavior.

This take is limited to the official STIX fields, the external MITRE reference, and the absence of relationship context. It does not assert active exploitation, attribution, impact, or existing detection coverage. Local policy, endpoint visibility, data sensitivity, and approved USB workflows are required to determine severity and tuning.

Official MITRE ATT&CK definition

Analytic 1410

Adversary mounts a USB device and begins enumerating, copying, or compressing files using scripting engines, cmd, or remote access tools.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3ae5ce719bf259de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3ae5ce719bf2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1410
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use