Hello everyone
Looking for guidance on detecting potential data exfiltration to external (USB/removable) drives. Has anyone built a YARA rule for identifying such activity
Open to examples or best practices for monitoring file transfers to removable media.
thanks in advance
You will need to enable audit logging for removable media in GPO, or collect the events from a DLP.
There are some good starter examples in MITRE detections page ; https://attack.mitre.org/techniques/T1052/001/
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.