Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
|
DE.CM-01.04 | Unauthorized device connection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices.
References
|
PR.DS-01.02 | Data loss prevention | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
References
|
PR.DS-10.01 | Data-in-use protection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
References
|
PR.PS-01.08 | End-user device protection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Export data | Export data to another site or system | related-to | T1052 | Exfiltration Over Physical Medium | |
attribute.confidentiality.data_disclosure | None | related-to | T1052 | Exfiltration Over Physical Medium |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1052 | Exfiltration Over Physical Medium |
Comments
Google Security Ops is able to trigger alerts based on system events, such as: USB device detected.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1052.001 | Exfiltration over USB | 27 |