Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052
Sub-techniques:  T1052.001
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Contributors: William Cain
Version: 1.3
Created: 31 May 2017
Last Modified: 15 April 2025

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can detect and block sensitive data being copied to physical mediums.

M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [2]

M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for execution of file transfer commands (robocopy, xcopy, cp, rsync) targeting removable media, use of disk utilities (diskpart, mount, mkfs) to format or prepare devices, or PowerShell or bash scripts automating file transfers to USB devices.

Analytic 1 - Detecting File Transfers to Removable Media via Command Execution

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("robocopy", "xcopy", "cp", "rsync", "mount", "diskutil"))| eval risk_score=case( command IN ("robocopy", "cp", "rsync"), 9, command IN ("mount", "diskutil"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0016 Drive Drive Creation

Detection of newly mounted USB or external drives, unusual storage devices connected to a system (e.g., large capacity, high-speed), or frequent device mount/unmount activity indicative of exfiltration attempts.

Analytic 1 - Detecting New External Drive Mounting Events

(EventCode=6 OR EventCode=4663 OR source="/var/log/syslog" "usb-storage added" OR source="com.apple.DiskArbitration")| where (device_type IN ("USB", "Removable Storage"))| stats count by _time, host, user, device_name, device_type| eval risk_score=case( device_type="USB", 9, device_type="Removable Storage", 8)| where risk_score >= 8| table host, user, device_name, device_type, risk_score

DS0022 File File Access

Monitor file access on removable media that may attempt to exfiltrate data via a physical medium, such as a removable drive.

Analytic 1 - Detecting File Access to Removable Media

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/media/usb/", "/mnt/usb/", "D:\USB\", "E:\USB\"))| eval risk_score=case( file_path LIKE "%/media/usb/%", 9, file_path LIKE "%D:\USB\%", 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0009 Process Process Creation

Monitor for processes triggered when external storage is connected, autorun scripts executed from USB drives, or file explorer or PowerShell processes interacting with external storage.

Analytic 1 - Detecting Processes Executed from USB Devices

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (process_name IN ("explorer.exe", "powershell.exe", "cmd.exe", "bash", "sh") AND process_path LIKE "/media/usb/%")| eval risk_score=case( process_path LIKE "/media/usb/%", 9, process_path LIKE "D:\USB\%", 8)| where risk_score >= 8| stats count by _time, host, user, process_name, process_path, risk_score

References