1. Home
  2. ATT&CK Techniques
  3. T1025 Data from Removable Media

T1025 Data from Removable Media

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1025 Data from Removable Media
Comments
This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    PR.DS-01.03 Removable media protection Mitigates T1025 Data from Removable Media
    Comments
    This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
    References
      PR.DS-01.02 Data loss prevention Mitigates T1025 Data from Removable Media
      Comments
      The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
      References
        PR.DS-10.01 Data-in-use protection Mitigates T1025 Data from Removable Media
        Comments
        This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CM-12 Information Location mitigates T1025 Data from Removable Media
          MP-07 Media Use mitigates T1025 Data from Removable Media
          SC-38 Operations Security mitigates T1025 Data from Removable Media
          SC-41 Port and I/O Device Access mitigates T1025 Data from Removable Media
          SC-13 Cryptographic Protection mitigates T1025 Data from Removable Media
          CP-09 System Backup mitigates T1025 Data from Removable Media
          AC-23 Data Mining Protection mitigates T1025 Data from Removable Media
          SC-28 Protection of Information at Rest mitigates T1025 Data from Removable Media
          SI-03 Malicious Code Protection mitigates T1025 Data from Removable Media
          AC-16 Security and Privacy Attributes mitigates T1025 Data from Removable Media
          SA-08 Security and Privacy Engineering Principles mitigates T1025 Data from Removable Media
          SI-04 System Monitoring mitigates T1025 Data from Removable Media
          AC-02 Account Management mitigates T1025 Data from Removable Media
          AC-03 Access Enforcement mitigates T1025 Data from Removable Media
          AC-06 Least Privilege mitigates T1025 Data from Removable Media

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Capture stored data Capture data stored on system disk related-to T1025 Data from Removable Media
          attribute.confidentiality.data_disclosure None related-to T1025 Data from Removable Media