T1052.001 Exfiltration over USB
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
| Item | Value |
|---|---|
| ID | T1052.001 |
| Sub-techniques | T1052.001 |
| Tactics | TA0010 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 11 March 2020 |
| Last Modified | 15 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0092 | Agent.btz | Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.5 |
| S0409 | Machete | Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.34 |
| G0129 | Mustang Panda | Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.9 |
| S0125 | Remsec | Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.6 |
| S0035 | SPACESHIP | SPACESHIP copies staged data to removable drives when they are inserted into the system.7 |
| G0081 | Tropic Trooper | Tropic Trooper has exfiltrated data using USB storage devices.10 |
| S0136 | USBStealer | USBStealer exfiltrates collected files via removable media from air-gapped victims.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention | Data loss prevention can detect and block sensitive data being copied to USB devices. |
| M1042 | Disable or Remove Feature or Program | Disable Autorun if it is unnecessary. 1 Disallow or restrict removable media at an organizational policy level if they are not required for business operations. 2 |
| M1034 | Limit Hardware Installation | Limit the use of USB devices and removable media within a network. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0016 | Drive | Drive Creation |
| DS0022 | File | File Access |
| DS0009 | Process | Process Creation |
References
-
Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016. ↩
-
Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩
-
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ↩
-
Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. ↩
-
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. ↩
-
Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. ↩
-
Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩