Execution from a Removable Media with Network Connection

Status: production
Severity: low
Time window: 5m
Sequence by: process.entity_id
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1091` Replication Through Removable Media

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Security-Auditing	Event ID 4688	A new process has been created.

Rule body elastic

[metadata]
creation_date = "2023/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/05/04"

[rule]
author = ["Elastic"]
description = """
Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems,
possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of
Autorun features when the media is inserted into a system and executes.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "Execution from a Removable Media with Network Connection"
risk_score = 21
rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f"
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Initial Access",
    "Data Source: Elastic Defend",
    "Resources: Investigation Guide",
]
type = "eql"

query = '''
sequence by process.entity_id with maxspan=5m
 [process where host.os.type == "windows" and event.action == "start" and

  /* Direct Exec from USB */
  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
  (process.code_signature.trusted == false or process.code_signature.exists == false) and

  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]
 [network where host.os.type == "windows" and event.action == "connection_attempted"]
'''

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend
"""

note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Execution from a Removable Media with Network Connection

Removable media, like USB drives, are often used for data transfer but can be exploited by adversaries to introduce malware into isolated systems. Attackers may leverage autorun features to execute malicious code upon insertion. The detection rule identifies suspicious process executions from USB devices, especially those lacking valid code signatures, and correlates them with network connection attempts, signaling potential unauthorized access efforts.

### Possible investigation steps

- Review the process execution details, focusing on the process.entity_id to identify the specific process that was executed from the USB device.
- Check the process.Ext.device.bus_type and process.Ext.device.product_id fields to confirm the involvement of a USB device and gather information about the specific device used.
- Investigate the process.code_signature fields to determine if the process lacks a valid code signature, which could indicate malicious intent.
- Correlate the process execution with network connection attempts by examining the network event logs, particularly looking for any unusual or unauthorized connection attempts.
- Assess the context of the network connection attempt, including the destination IP address and port, to evaluate the potential risk and intent of the connection.
- Gather additional context by reviewing recent activity on the host, such as other process executions or file modifications, to identify any further signs of compromise.
- If necessary, isolate the affected system to prevent further unauthorized access or data exfiltration while continuing the investigation.

### False positive analysis

- Legitimate software installations from USB drives may trigger the rule. To manage this, create exceptions for known software installers by verifying their code signatures and adding them to an allowlist.
- IT administrators often use USB devices for system updates or maintenance. Identify and exclude these activities by correlating them with known administrator accounts or devices.
- Some organizations use USB devices for regular data transfers. Establish a baseline of normal USB activity and exclude these patterns from triggering alerts.
- Devices with expired but previously trusted code signatures might be flagged. Regularly update the list of trusted certificates and exclude processes with known expired signatures that are still considered safe.
- Network connection attempts by legitimate applications running from USB drives can be mistaken for threats. Monitor and document these applications, then configure exceptions based on their process names and network behavior.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Disable autorun features on all systems to prevent automatic execution of potentially malicious code from removable media.
- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware.
- Review and block any suspicious network connections originating from the affected system to prevent communication with potential command and control servers.
- Collect and preserve relevant logs and forensic evidence from the affected system and removable media for further analysis and potential legal action.
- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if other systems may be affected.
- Implement enhanced monitoring and alerting for similar activities, focusing on process executions from removable media and unauthorized network connection attempts."""


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1091"
name = "Replication Through Removable Media"
reference = "https://attack.mitre.org/techniques/T1091/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

Stages and Predicates

Ordered sequence: each step below must occur in order within 5m, correlated by process.entity_id.

Stage 1: `process`

[process where host.os.type == "windows" and event.action == "start" and
  (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and
  (process.code_signature.trusted == false or process.code_signature.exists == false) and
  not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")]

Stage 2: `network`

[network where host.os.type == "windows" and event.action == "connection_attempted"]

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`process.code_signature.status`	wildcard	`errorExpired`, `errorCode_endpoint*`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`connection_attempted` corpus 25 (elastic 25) `start` corpus 16 (elastic 16)
`process.Ext.device.bus_type`	wildcard	`usb`
`process.Ext.device.product_id`	wildcard	`USB *`
`process.code_signature.exists`	eq	`false` corpus 19 (elastic 19)
`process.code_signature.trusted`	eq	`false` corpus 18 (elastic 18)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Execution from a Removable Media with Network Connection

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `process`

Stage 2: `network`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Execution from a Removable Media with Network Connection

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: process

Stage 2: network

Exclusions

Indicators

Stage 1: `process`

Stage 2: `network`