1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Physical Medium
  5. Exfiltration over USB

Exfiltration Over Physical Medium: Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052.001
Sub-technique of:  T1052
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Contributors: William Cain
Version: 1.2
Created: 11 March 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1]
S0409 Machete

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3]
G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[4]
S0125 Remsec

Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5]
S0035 SPACESHIP

SPACESHIP copies staged data to removable drives when they are inserted into the system.[6]
G0081 Tropic Trooper

Tropic Trooper has exfiltrated data using USB storage devices.[7]

S0136 USBStealer

USBStealer exfiltrates collected files via removable media from air-gapped victims.[8]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Data loss prevention can detect and block sensitive data being copied to USB devices.
M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [9] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [10]
M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for execution of file transfer commands targeting USB storage (robocopy, xcopy, cp, rsync), use of disk management utilities (diskpart, mount, mkfs, fdisk), or PowerShell or Bash scripts automating USB file transfers.

Analytic 1 - Detecting File Transfers to USB via Command Execution

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("robocopy", "xcopy", "cp", "rsync", "mount", "diskutil", "diskpart"))| eval risk_score=case( command IN ("robocopy", "cp", "rsync"), 9, command IN ("mount", "diskutil", "diskpart"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score
DS0016 Drive Drive Creation

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device.

Analytic 1 - Detecting New USB Drive Mounting Events

(EventCode=6 OR EventCode=4663 OR source="/var/log/syslog" "usb-storage added" OR source="com.apple.DiskArbitration")| where (device_type IN ("USB", "Removable Storage"))| stats count by _time, host, user, device_name, device_type| eval risk_score=case( device_type="USB", 9, device_type="Removable Storage", 8)| where risk_score >= 8| table host, user, device_name, device_type, risk_score

DS0022 File File Access

Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device.

Analytic 1 - Detecting File Transfers to USB Storage

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/media/usb/", "/mnt/usb/", "D:\USB\", "E:\USB\"))| eval risk_score=case( file_path LIKE "%/media/usb/%", 9, file_path LIKE "%D:\USB\%", 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score
DS0009 Process Process Creation

Monitor for newly executed processes when removable media is mounted

Analytic 1 - Detecting Processes Executed from USB Devices

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (process_name IN ("explorer.exe", "powershell.exe", "cmd.exe", "bash", "sh") AND process_path LIKE "/media/usb/%")| eval risk_score=case( process_path LIKE "/media/usb/%", 9, process_path LIKE "D:\USB\%", 8)| where risk_score >= 8| stats count by _time, host, user, process_name, process_path, risk_score

References

  1. Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  4. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  5. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  2. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  3. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  4. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
  5. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.