Skip to content

T1052.001 Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Item Value
ID T1052.001
Sub-techniques T1052.001
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.1
Created 11 March 2020
Last Modified 15 October 2021

Procedure Examples

ID Name Description
S0092 Agent.btz Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.8
S0409 Machete Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.67
G0129 Mustang Panda Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.10
S0125 Remsec Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.5
S0035 SPACESHIP SPACESHIP copies staged data to removable drives when they are inserted into the system.3
G0081 Tropic Trooper Tropic Trooper has exfiltrated data using USB storage devices.9
S0136 USBStealer USBStealer exfiltrates collected files via removable media from air-gapped victims.4


ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can detect and block sensitive data being copied to USB devices.
M1042 Disable or Remove Feature or Program Disable Autorun if it is unnecessary. 1 Disallow or restrict removable media at an organizational policy level if they are not required for business operations. 2
M1034 Limit Hardware Installation Limit the use of USB devices and removable media within a network.


ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Creation
DS0022 File File Access
DS0009 Process Process Creation