Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052
Sub-techniques:  T1052.001
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
System Requirements: Presence of physical medium or device
Data Sources: Data loss prevention, File monitoring, Process monitoring
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [2]

Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

Monitor file access on removable media. Detect processes that execute when removable media are mounted.

References