Exfiltration Over Physical Medium: Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

ID: T1052.001
Sub-technique of:  T1052
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
System Requirements: Presence of physical medium or device
Data Sources: Command: Command Execution, Drive: Drive Creation, File: File Access, Process: Process Creation
Version: 1.0
Created: 11 March 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
S0092 Agent.btz

Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.[1]

S0409 Machete

Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.[2][3]

G0129 Mustang Panda

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[4]

S0125 Remsec

Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5]

S0035 SPACESHIP

SPACESHIP copies staged data to removable drives when they are inserted into the system.[6]

G0081 Tropic Trooper

Tropic Trooper has exfiltrated data using USB storage devices.[7]

S0136 USBStealer

USBStealer exfiltrates collected files via removable media from air-gapped victims.[8]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Autorun if it is unnecessary. [9] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [10]

M1034 Limit Hardware Installation

Limit the use of USB devices and removable media within a network.

Detection

Monitor file access on removable media. Detect processes that execute when removable media are mounted.

References