Adversaries may be exfiltrating data by copying files to non-C drive locations to avoid detection by standard script-based monitoring tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts that bypass traditional script-based detection mechanisms.
KQL Query
DeviceFileEvents
| where ActionType == "FileCreated"
| extend extension= extract(@".*(\..*)$",1,FileName)
| where extension !in (".ps1",".bat",".cmd")
| extend DriveLetterOrShare=split(FolderPath,':')[0]
| where DriveLetterOrShare != 'C'
| project tostring(DriveLetterOrShare), FolderPath, FileName, DeviceId, DeviceName, ReportId, Timestamp, ShareName, IsAzureInfoProtectionApplied, SensitivityLabel, SensitivitySubLabel, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine
id: 8899867b-0fd8-4cfd-b6f0-0f04ef37142c
name: Data copied to other location than C drive
description: |
Check all created files.
That does not have extension ps1, bat or cmd to avoid IT Pro scripts.
That are not copied to C:\ to detect all file share, external drive, data partition that are not allowed, etc.
This could help to detect malicious insider/user that has unencrypted data partition and that are using it to exfiltrate data even while removable devices & cloud storage is blocked.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
query: |
DeviceFileEvents
| where ActionType == "FileCreated"
| extend extension= extract(@".*(\..*)$",1,FileName)
| where extension !in (".ps1",".bat",".cmd")
| extend DriveLetterOrShare=split(FolderPath,':')[0]
| where DriveLetterOrShare != 'C'
| project tostring(DriveLetterOrShare), FolderPath, FileName, DeviceId, DeviceName, ReportId, Timestamp, ShareName, IsAzureInfoProtectionApplied, SensitivityLabel, SensitivitySubLabel, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: User saves a document to a USB drive for offline work
Filter/Exclusion: Exclude files created on removable storage devices using the device field in the event log (e.g., device == "USB Storage").
Scenario: System backup job copies files to a secondary data partition (D:)
Filter/Exclusion: Exclude files created by scheduled tasks using the process_name field (e.g., process_name == "wbadmin.exe" or process_name == "vssadmin.exe").
Scenario: IT admin uses PowerShell to move files between partitions for data organization
Filter/Exclusion: Exclude files created by known administrative tools using the process_name field (e.g., process_name == "powershell.exe" with a known admin script or command line).
Scenario: User copies files to an external drive for cloud sync (e.g., using OneDrive or Dropbox)
Filter/Exclusion: Exclude files created by cloud sync tools using the process_name field (e.g., process_name == "OneDrive.exe" or process_name == "dropbox.exe").
Scenario: System service moves temporary files to a non-C drive location for cleanup
Filter/Exclusion: Exclude files created by system services using the process_name field (e.g., process_name == "services.exe" or process_name == "taskhost.exe") or by checking the parent_process_name field.