T1052 Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1052 Exfiltration Over Physical Medium
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    DE.CM-01.04 Unauthorized device connection Mitigates T1052 Exfiltration Over Physical Medium
    Comments
    This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices.
    References
      PR.DS-01.02 Data loss prevention Mitigates T1052 Exfiltration Over Physical Medium
      Comments
      The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
      References
        PR.DS-10.01 Data-in-use protection Mitigates T1052 Exfiltration Over Physical Medium
        Comments
        This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
        References
          PR.PS-01.08 End-user device protection Mitigates T1052 Exfiltration Over Physical Medium
          Comments
          This diagnostic statement protects against Exfiltration Over Physical Medium through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1052 Exfiltration Over Physical Medium
            CM-06 Configuration Settings mitigates T1052 Exfiltration Over Physical Medium
            MP-07 Media Use mitigates T1052 Exfiltration Over Physical Medium
            SC-41 Port and I/O Device Access mitigates T1052 Exfiltration Over Physical Medium
            AC-23 Data Mining Protection mitigates T1052 Exfiltration Over Physical Medium
            SR-04 Provenance mitigates T1052 Exfiltration Over Physical Medium
            SC-28 Protection of Information at Rest mitigates T1052 Exfiltration Over Physical Medium
            RA-05 Vulnerability Monitoring and Scanning mitigates T1052 Exfiltration Over Physical Medium
            CM-08 System Component Inventory mitigates T1052 Exfiltration Over Physical Medium
            SI-03 Malicious Code Protection mitigates T1052 Exfiltration Over Physical Medium
            AC-16 Security and Privacy Attributes mitigates T1052 Exfiltration Over Physical Medium
            AC-20 Use of External Systems mitigates T1052 Exfiltration Over Physical Medium
            CM-02 Baseline Configuration mitigates T1052 Exfiltration Over Physical Medium
            SA-08 Security and Privacy Engineering Principles mitigates T1052 Exfiltration Over Physical Medium
            CM-07 Least Functionality mitigates T1052 Exfiltration Over Physical Medium
            SI-04 System Monitoring mitigates T1052 Exfiltration Over Physical Medium
            AC-02 Account Management mitigates T1052 Exfiltration Over Physical Medium
            AC-03 Access Enforcement mitigates T1052 Exfiltration Over Physical Medium
            AC-06 Least Privilege mitigates T1052 Exfiltration Over Physical Medium

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium
            attribute.confidentiality.data_disclosure None related-to T1052 Exfiltration Over Physical Medium

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            google_secops Google Security Operations technique_scores T1052 Exfiltration Over Physical Medium
            Comments
            Google Security Ops is able to trigger alerts based on system events, such as: USB device detected. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
            References

            ATT&CK Subtechniques

            Technique ID Technique Name Number of Mappings
            T1052.001 Exfiltration over USB 27