T1052 Exfiltration Over Physical Medium Mappings

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1052 Exfiltration Over Physical Medium
CM-06 Configuration Settings mitigates T1052 Exfiltration Over Physical Medium
MP-07 Media Use mitigates T1052 Exfiltration Over Physical Medium
SC-41 Port and I/O Device Access mitigates T1052 Exfiltration Over Physical Medium
AC-23 Data Mining Protection mitigates T1052 Exfiltration Over Physical Medium
SR-04 Provenance mitigates T1052 Exfiltration Over Physical Medium
SC-28 Protection of Information at Rest mitigates T1052 Exfiltration Over Physical Medium
RA-05 Vulnerability Monitoring and Scanning mitigates T1052 Exfiltration Over Physical Medium
CM-08 System Component Inventory mitigates T1052 Exfiltration Over Physical Medium
SI-03 Malicious Code Protection mitigates T1052 Exfiltration Over Physical Medium
AC-16 Security and Privacy Attributes mitigates T1052 Exfiltration Over Physical Medium
AC-20 Use of External Systems mitigates T1052 Exfiltration Over Physical Medium
CM-02 Baseline Configuration mitigates T1052 Exfiltration Over Physical Medium
SA-08 Security and Privacy Engineering Principles mitigates T1052 Exfiltration Over Physical Medium
CM-07 Least Functionality mitigates T1052 Exfiltration Over Physical Medium
SI-04 System Monitoring mitigates T1052 Exfiltration Over Physical Medium
AC-02 Account Management mitigates T1052 Exfiltration Over Physical Medium
AC-03 Access Enforcement mitigates T1052 Exfiltration Over Physical Medium
AC-06 Least Privilege mitigates T1052 Exfiltration Over Physical Medium

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
attribute.confidentiality.data_disclosure None related-to T1052 Exfiltration Over Physical Medium

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1052 Exfiltration Over Physical Medium
Comments
Google Security Ops is able to trigger alerts based on system events, such as: USB device detected. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1052.001 Exfiltration over USB 22