T1052.001 Exfiltration over USB Mappings

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
endpoint_management Endpoint Management technique_scores T1052.001 Exfiltration over USB
Comments
This control can prevent exfiltration over USB by disabling USB file transfers on enrolled Android devices.
References
chronicle Chronicle technique_scores T1052.001 Exfiltration over USB
Comments
Chronicle is able to trigger an alert based on events, such as "new USB device is connected to a system". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
References