Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0511: Detection of Data Access and Collection from Removable Media

DET0511 is a detection strategy for identifying access to and collection of data from removable media, mapped to ATT&CK technique T1025. The business issue...

EnterpriseDET0511Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0511 is a detection strategy for identifying access to and collection of data from removable media, mapped to ATT&CK technique T1025. The business issue is not the USB device itself; it is whether the organization can prove when sensitive files on removable storage were accessed from a compromised Linux, macOS, or Windows system before possible exfiltration. This matters for incident scoping, data-loss assessment, insider-risk investigations, and audit evidence around removable media controls.

Executive priority

Security leaders should treat this as a control-validation topic for data protection and incident readiness. Key questions are: where is removable media allowed, which systems can read it, what sensitive data may reside on it, and can the SOC reconstruct file access from removable devices during an investigation? Because the supplied ATT&CK object has no official description or detection logic, priority should be based on local exposure: regulated data on portable media, operational reliance on USB or optical media, and environments where endpoint telemetry is incomplete.

Technical view

The detection strategy object itself does not specify platforms, tactics, or detection analytics. Its relationship to T1025 provides the technical scope: adversaries may search connected removable media on compromised Linux, macOS, and Windows computers to collect files of interest, potentially using interactive command shells or common command functionality. SOC and IR teams should validate whether endpoint logging can distinguish removable-media mounts, file enumeration, file open/read/copy activity, command-line access, and subsequent staging or exfiltration-relevant behavior. Detection engineering should avoid treating every removable-media event as malicious; context such as user role, host function, device authorization, file sensitivity, and volume of access is needed.

Likely telemetry

  • Endpoint device connection and mount events for USB, optical, and other removable media
  • File access, enumeration, copy, and read events involving removable media paths or volumes
  • Process creation and command-line telemetry for shells or utilities interacting with removable media
  • User, host, and device identity context tied to removable-media activity
  • Data loss prevention, endpoint control, or removable-media policy events where deployed

Detection direction

  • Validate that telemetry exists across Linux, macOS, and Windows where those platforms are in scope for T1025; the detection strategy object itself does not define platform-specific logic.
  • Correlate removable-media access with unusual file enumeration, bulk reads or copies, sensitive file types, unexpected users, or activity from systems not expected to use portable media.
  • Tune out expected business workflows such as approved backup, imaging, maintenance, or operational technology transfer processes, while preserving enough logging for investigation.
  • Use relationship context to look beyond device insertion: the ATT&CK behavior is data access and collection from removable media, not merely the presence of a USB device.
  • Check blind spots where removable-media controls log connection events but not file-level access, command-line activity, or user attribution.

Mitigation priorities

  • Establish or review policy for where removable media is allowed and which data classes may be stored on it.
  • Restrict removable-media use on systems that do not require it, and maintain exceptions with business justification.
  • Prioritize endpoint and identity logging that can support incident reconstruction of removable-media file access.
  • Use data handling, DLP, or endpoint control evidence to support compliance and investigation needs where applicable.
  • Exercise IR procedures for scoping removable-media data access, including device identification, user attribution, and affected file determination.
Analyst notes and limits

This take is based on ATT&CK detection strategy DET0511 and its relationship to T1025 Data from Removable Media. The supplied DET0511 object has no official description or detection text, so the practical guidance is derived conservatively from the related ATT&CK technique context and should be validated against the local environment.

ATT&CK did not provide official detection logic, platforms, tactics, or aliases for DET0511 in the supplied fields. The related technique provides Linux, macOS, and Windows scope, but local logging capabilities, approved removable-media workflows, and data sensitivity determine actual risk and detection feasibility.

Official MITRE ATT&CK definition

Detection of Data Access and Collection from Removable Media

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1025 Data from Removable Media This object detects Data from Removable Media.
Relationship explorer

All related ATT&CK context

detects · Technique T1025: Data from Removable Media Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f961c4241e6d1109...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f961c4241e6d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0511
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use