1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Physical Medium
  5. Exfiltration over USB

Exfiltration Over Physical Medium: Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052.001
Sub-technique of:  T1052
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Contributors: William Cain
Version: 1.2
Created: 11 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1]
S0409 Machete

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3]
G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[4]
S0125 Remsec

Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5]
S0035 SPACESHIP

SPACESHIP copies staged data to removable drives when they are inserted into the system.[6]
G0081 Tropic Trooper

Tropic Trooper has exfiltrated data using USB storage devices.[7]

S0136 USBStealer

USBStealer exfiltrates collected files via removable media from air-gapped victims.[8]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can detect and block sensitive data being copied to USB devices.
M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [9] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [10]
M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0220 Detection of USB-Based Data Exfiltration AN0616

Detects USB device insertion followed by high-volume or sensitive file access and staging activity by suspicious processes or accounts.
AN0617

Detects USB block device mount followed by file access in sensitive directories or high-volume copy operations by user-controlled processes.
AN0618

Detects external volume mount with Finder, Terminal, or script-initiated file copy from user profiles, sensitive folders, or cloud storage sync directories to USB.

References

  1. Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  4. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  5. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  2. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  3. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  4. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
  5. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.