Shellbags, USB Removable Storage

A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.

A subject can mount and write to removable media.

A subject may exfiltrate data via a physical medium, such as a removable drive.

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

A subject may attempt to mount a USB Mass Storage device on a target system.

A subject can mount and write to a USB mass storage device.

A subject can mount and write to an SD card, either directly from the system, or through a USB connector.

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges, bypassing standard application control, endpoint detection, and logging.

Portable hypervisors are often used to:

• Run a fully isolated virtual environment on a corporate system without administrator rights.
• Avoid persistent installation footprints in the Windows registry, program files, or audit logs.
• Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools.
• Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk.
• Destroy or remove evidence simply by ejecting the device or deleting the VM directory.

Example Scenarios:

• The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session.
• A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system.
• The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.