T1025 Data from Removable Media Mappings

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1025 Data from Removable Media
AC-02 Account Management Protects T1025 Data from Removable Media
AC-23 Data Mining Protection Protects T1025 Data from Removable Media
AC-03 Access Enforcement Protects T1025 Data from Removable Media
AC-06 Least Privilege Protects T1025 Data from Removable Media
CM-12 Information Location Protects T1025 Data from Removable Media
CP-09 System Backup Protects T1025 Data from Removable Media
MP-07 Media Use Protects T1025 Data from Removable Media
SA-08 Security and Privacy Engineering Principles Protects T1025 Data from Removable Media
SC-13 Cryptographic Protection Protects T1025 Data from Removable Media
SC-28 Protection of Information at Rest Protects T1025 Data from Removable Media
SC-38 Operations Security Protects T1025 Data from Removable Media
SC-41 Port and I/O Device Access Protects T1025 Data from Removable Media
SI-03 Malicious Code Protection Protects T1025 Data from Removable Media
SI-04 System Monitoring Protects T1025 Data from Removable Media