AN1411: Analytic 1411
Adversary mounts external drive to /media or /mnt then accesses or copies targeted data via shell, cp, or tar.
Analyst context for executives and security teams
This analytic describes a Linux data-handling scenario where an adversary mounts an external drive under common mount paths such as /media or /mnt and then accesses or copies targeted data using shell activity or utilities such as cp or tar. For security leaders, the practical issue is not only removable media use; it is whether the organization can prove when sensitive data was staged or transferred to locally attached storage on Linux systems.
Executive priority
Prioritize this where Linux systems store regulated, proprietary, operational, or customer data. The decision value is validating whether SOC and incident response teams have enough endpoint, command, file access, and mount evidence to distinguish approved removable-media workflows from possible data collection or exfiltration preparation. This can support incident scoping, insider-risk investigations, audit evidence, and control decisions around removable storage use.
Technical view
For Linux coverage, validate visibility into external drive mounts to /media and /mnt, followed by shell-driven access or copy activity involving cp or tar. Because the ATT&CK object provides no official detection logic and no relationship context, teams should build detections around correlated host events rather than a single command string: removable media mount event, user/session context, subsequent file enumeration or access, and bulk copy/archive behavior. Tune carefully for legitimate administrator, backup, field-service, forensics, and data-transfer workflows.
Likely telemetry
- Linux mount activity and mounted filesystem paths, especially /media and /mnt
- Process execution telemetry for shells, cp, and tar
- Command-line arguments where available
- File access, copy, and archive creation events involving sensitive directories
- User, session, host, and device context for the mount and subsequent commands
Detection direction
- Validate that Linux endpoint logging captures both mount activity and subsequent process execution; either source alone may be insufficient.
- Correlate external drive mounting under /media or /mnt with nearby shell, cp, or tar activity accessing targeted or sensitive data locations.
- Baseline legitimate removable-media workflows to reduce false positives from administrators, backups, imaging, and authorized data movement.
- Look for volume or pattern changes such as many files copied, archive creation, or access to unusual directories after a mount event.
- Confirm retention is long enough for incident response, since removable-media activity may only be investigated after a data-loss concern is raised.
Mitigation priorities
- Define and enforce policy for removable storage use on Linux systems that handle sensitive or business-critical data.
- Restrict removable media access to approved users and systems where operationally feasible.
- Harden permissions on sensitive directories so a mounted drive does not by itself enable unauthorized copying.
- Ensure Linux audit or endpoint controls collect mount, process, command-line, and file activity needed for investigation.
- Review exceptions regularly so authorized operational use does not become an unmanaged blind spot.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux only. It states the behavior but provides no official detection text, tactics, relationships, groups, software, or mitigations. The strongest use is as a coverage-validation prompt for Linux removable-media monitoring and data-copy investigation readiness.
This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, business impact, or guaranteed detectability. Local environment context is required to determine whether external drive use, cp, tar, or shell activity is suspicious or expected.
Analytic 1411
Adversary mounts external drive to /media or /mnt then accesses or copies targeted data via shell, cp, or tar.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 32928f9d34a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1411Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.