Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
ID | Name | Description |
---|---|---|
S0092 | Agent.btz |
Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1] |
S0409 | Machete |
Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3] |
G0129 | Mustang Panda |
Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[4] |
S0125 | Remsec |
Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5] |
S0035 | SPACESHIP |
SPACESHIP copies staged data to removable drives when they are inserted into the system.[6] |
G0081 | Tropic Trooper |
Tropic Trooper has exfiltrated data using USB storage devices.[7] |
S0136 | USBStealer |
USBStealer exfiltrates collected files via removable media from air-gapped victims.[8] |
ID | Mitigation | Description |
---|---|---|
M1057 | Data Loss Prevention |
Data loss prevention can detect and block sensitive data being copied to USB devices. |
M1042 | Disable or Remove Feature or Program |
Disable Autorun if it is unnecessary. [9] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [10] |
M1034 | Limit Hardware Installation |
Limit the use of USB devices and removable media within a network. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device. |
DS0016 | Drive | Drive Creation |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device. |
DS0022 | File | File Access |
Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device. |
DS0009 | Process | Process Creation |
Monitor for newly executed processes when removable media is mounted |