← Back to Explore
crowdstrike_cqlHunting
Files Written to Removable Media
This query tracks files written to removable media (USB drives, external drives) across all platforms, aggregating the total data volume and file count per computer. It's useful for detecting potential data exfiltration attempts or monitoring removable media usage for compliance.
Detection Query
#event_simpleName=/Written/ IsOnRemovableDisk=1
| FileSizeMB:=unit:convert(Size, to=M)
| groupBy([ComputerName], function=([sum(Size, as=SizeBytes), sum(FileSizeMB, as=FileSizeMB), count(TargetFileName, as="File Count"), collect([TargetFileName])]))
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windowslinux
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Files Written to Removable Media
# MITRE ATT&CK technique IDs
#mitre_ids:
# Description of what the query does and its purpose.
description: This query tracks files written to removable media (USB drives, external drives) across all platforms, aggregating the total data volume and file count per computer. It's useful for detecting potential data exfiltration attempts or monitoring removable media usage for compliance.
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# Tags for filtering and categorization.
tags:
- Hunting
cs_required_modules:
- Insight
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=/Written/ IsOnRemovableDisk=1
| FileSizeMB:=unit:convert(Size, to=M)
| groupBy([ComputerName], function=([sum(Size, as=SizeBytes), sum(FileSizeMB, as=FileSizeMB), count(TargetFileName, as="File Count"), collect([TargetFileName])]))
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
#explanation: