Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1025: Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

EnterpriseT1025TechniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Data from Removable Media matters because a compromised workstation can become a bridge to sensitive files stored on USB drives, optical media, or other connected removable storage. For executives and security leaders, the practical issue is not just malware on a device; it is whether the organization can prove that sensitive data on removable media is monitored, controlled, and investigated before it is exfiltrated, including in environments that rely on removable media for operational or air-gapped workflows.

Executive priority

Prioritize this technique where removable media is allowed, required for business operations, or used around sensitive data. The ATT&CK relationships include multiple espionage-focused groups and malware families, including examples designed for document theft and air-gapped collection, so leaders should ask whether removable media use is governed by policy, covered by DLP, visible to the SOC, and included in incident response playbooks. This is especially relevant to audit evidence for data handling, insider-risk adjacent controls, and operational resilience in environments where blocking all removable media is not practical.

Technical view

This is an enterprise collection technique on Linux, macOS, and Windows. ATT&CK does not provide official detection text, but it links DET0511, Detection of Data Access and Collection from Removable Media, and mitigation M1057, Data Loss Prevention. SOC and IR teams should validate whether endpoints can identify removable media connection and access, whether file collection from removable paths is visible, and whether interactive shells or common command functionality touching removable media are distinguishable from normal user activity. Relationship context is heavily Windows-oriented for listed software, but the technique platform scope is Linux, macOS, and Windows, so coverage should be checked across all three where present.

Likely telemetry

  • Removable media connection, mount, and dismount events on Linux, macOS, and Windows endpoints
  • File access, enumeration, read, copy, archive, or staging activity involving removable media paths or volumes
  • Process execution telemetry showing command shells or common utilities accessing removable media
  • Endpoint DLP or device-control events involving sensitive file types, PII, intellectual property, or financial data on removable media
  • Host-based alerts or logs from detection strategy DET0511 where implemented

Detection direction

  • Confirm whether DET0511-equivalent logic exists and is enabled for all supported operating systems in scope, not only Windows.
  • Tune detection around unusual volume access patterns, bulk file reads, collection of sensitive document types, or command-shell interaction with removable media, while accounting for legitimate business processes such as backups, field operations, maintenance, or data transfer workflows.
  • Correlate removable media activity with later collection, staging, or exfiltration indicators when available; this technique is collection prior to exfiltration, not proof of data loss by itself.
  • Validate that logs preserve enough context to identify the user, host, device or volume, process, file path, and data category where available.
  • Check blind spots around unmanaged endpoints, offline systems, air-gapped processes, temporary contractors, and environments where removable media is permitted but not centrally monitored.

Mitigation priorities

  • Start with policy and inventory: define where removable media is allowed, prohibited, or exception-based, especially around sensitive data and operational systems.
  • Implement Data Loss Prevention controls aligned to M1057 to identify, categorize, monitor, and control sensitive data movement involving removable media.
  • Where business permits, restrict or approve removable media use through endpoint controls and enforce least-privilege access to sensitive files.
  • Ensure SOC and IR teams receive usable removable media and DLP telemetry, including from systems that may be intermittently connected or operationally isolated.
  • Create response procedures for suspected removable media collection, including host triage, user and device scoping, sensitive-data review, and follow-on exfiltration investigation.
Analyst notes and limits

ATT&CK classifies this as a collection technique, not an exfiltration technique. The relationship set includes APT28, Turla, Gamaredon Group, OilRig, and many software examples, several of which are described as espionage, document theft, removable-device propagation, or air-gap related. That makes the behavior strategically important for environments with sensitive documents or removable media workflows, but local telemetry is required to determine exposure or activity.

Official ATT&CK detection text is not provided for T1025. Detection and mitigation guidance here is derived from the official description, supported platforms, the DET0511 detection-strategy relationship, the M1057 Data Loss Prevention mitigation relationship, and listed group/software relationships. No claim is made that this activity is currently occurring, that any named actor targets a specific organization, or that any control guarantees detection or prevention.

Official MITRE ATT&CK definition

Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Malware Enterprise

S0136: USBStealer

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

Windows
Malware Enterprise

S0260: InvisiMole

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]

Windows
Malware Enterprise

S0237: GravityRAT

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]

Windows
Malware Enterprise

S0090: Rover

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [1]

Windows
Malware Enterprise

S1146: MgBot

MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.[1][2][3]

Windows
Malware Enterprise

S0125: Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [1]

Windows
Malware Enterprise

S0128: BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

Windows
Malware Enterprise

S0113: Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0136: USBStealer Enterprise uses · Malware S0260: InvisiMole Enterprise uses · Malware S0456: Aria-body Enterprise uses · Group G0049: OilRig Enterprise uses · Malware S0569: Explosive Enterprise uses · Malware S0237: GravityRAT Enterprise uses · Malware S0090: Rover Enterprise uses · Malware S1146: MgBot Enterprise uses · Group G0047: Gamaredon Group Enterprise uses · Group G0007: APT28 Enterprise uses · Malware S0125: Remsec Enterprise uses · Malware S0128: BADNEWS Enterprise uses · Malware S0113: Prikormka Enterprise uses · Malware S0538: Crutch Enterprise uses · Malware S0115: Crimson Enterprise uses · Malware S0409: Machete Enterprise uses · Malware S0644: ObliqueRAT Enterprise uses · Group G0010: Turla Enterprise detects · Detection Strategy DET0511: Detection of Data Access and Collection from Removable Media Enterprise uses · Malware S0467: TajMahal Enterprise mitigates · Mitigation M1057: Data Loss Prevention Enterprise uses · Malware S0036: FLASHFLOOD Enterprise uses · Malware S0622: AppleSeed Enterprise uses · Malware S1044: FunnyDream Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1057: Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. [1] This mitigation can be implemented through the following measures:

Sensitive Data Categorization:

- Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.

Exfiltration Restrictions:

- Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.

Data-in-Transit Monitoring:

- Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.

Endpoint Data Protection:

- Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.

Cloud Data Security:

- Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
f08d07416d4d2576...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle f08d07416d4d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1025
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use