Exfiltration Over Physical Medium: Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052.001
Sub-technique of:  T1052
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
System Requirements: Presence of physical medium or device
Contributors: William Cain
Version: 1.1
Created: 11 March 2020
Last Modified: 15 October 2021

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1]

S0409 Machete

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3]

G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[4]

S0125 Remsec

Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5]

S0035 SPACESHIP

SPACESHIP copies staged data to removable drives when they are inserted into the system.[6]

G0081 Tropic Trooper

Tropic Trooper has exfiltrated data using USB storage devices.[7]

S0136 USBStealer

USBStealer exfiltrates collected files via removable media from air-gapped victims.[8]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can detect and block sensitive data being copied to USB devices.

M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [9] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [10]

M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device.

DS0016 Drive Drive Creation

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device.

DS0022 File File Access

Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device.

DS0009 Process Process Creation

Monitor for newly executed processes when removable media is mounted

References