Skip to content

T1052 Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Item Value
ID T1052
Sub-techniques T1052.001
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.2
Created 31 May 2017
Last Modified 15 October 2021

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can detect and block sensitive data being copied to physical mediums.
M1042 Disable or Remove Feature or Program Disable Autorun if it is unnecessary. 1 Disallow or restrict removable media at an organizational policy level if they are not required for business operations. 2
M1034 Limit Hardware Installation Limit the use of USB devices and removable media within a network.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Creation
DS0022 File File Access
DS0009 Process Process Creation

References

  1. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016. 

  2. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.