The sub-techniques beta is now live! Read the release blog post for more info.

Exfiltration Over Physical Medium

In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052
Tactic: Exfiltration
Platform: Linux, macOS, Windows
System Requirements: Presence of physical medium or device
Data Sources: Data loss prevention, File monitoring
Version: 1.0
Created: 31 May 2017
Last Modified: 24 July 2019

Procedure Examples

Name Description

Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[6]


Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[7][8]


Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[4]


SPACESHIP copies staged data to removable drives when they are inserted into the system.[3]


USBStealer exfiltrates collected files via removable media from air-gapped victims.[5]


Mitigation Description
Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[1][2]


Monitor file access on removable media. Detect processes that execute when removable media are mounted.