Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Some adversaries may also use Automated Collection on removable media.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1025 | Data from Removable Media |
Comments
This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
PR.DS-01.03 | Removable media protection | Mitigates | T1025 | Data from Removable Media |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
References
|
PR.DS-01.02 | Data loss prevention | Mitigates | T1025 | Data from Removable Media |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1025 | Data from Removable Media |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1025 | Data from Removable Media | |
attribute.confidentiality.data_disclosure | None | related-to | T1025 | Data from Removable Media |