Restrict Removable Disk Mounting, Group Policy

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

A subject can mount and write to a USB mass storage device.

A subject may attempt to mount a USB Mass Storage device on a target system.

The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges—bypassing standard application control, endpoint detection, and logging.

Portable hypervisors are often used to:

• Run a fully isolated virtual environment on a corporate system without administrator rights.
• Avoid persistent installation footprints in the Windows registry, program files, or audit logs.
• Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools.
• Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk.
• Destroy or remove evidence simply by ejecting the device or deleting the VM directory.

Example Scenarios:

• The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session.
• A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system.
• The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.

The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.

Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.

Example Scenarios:

• A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.
• A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.