1. Home
  2. ATT&CK Techniques
  3. T1052.001 Exfiltration over USB

T1052.001 Exfiltration over USB Mappings

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1052.001 Exfiltration over USB
CM-06 Configuration Settings mitigates T1052.001 Exfiltration over USB
MP-07 Media Use mitigates T1052.001 Exfiltration over USB
SC-41 Port and I/O Device Access mitigates T1052.001 Exfiltration over USB
AC-23 Data Mining Protection mitigates T1052.001 Exfiltration over USB
SR-04 Provenance mitigates T1052.001 Exfiltration over USB
SC-28 Protection of Information at Rest mitigates T1052.001 Exfiltration over USB
RA-05 Vulnerability Monitoring and Scanning mitigates T1052.001 Exfiltration over USB
CM-08 System Component Inventory mitigates T1052.001 Exfiltration over USB
SI-03 Malicious Code Protection mitigates T1052.001 Exfiltration over USB
AC-16 Security and Privacy Attributes mitigates T1052.001 Exfiltration over USB
AC-20 Use of External Systems mitigates T1052.001 Exfiltration over USB
CM-02 Baseline Configuration mitigates T1052.001 Exfiltration over USB
SA-08 Security and Privacy Engineering Principles mitigates T1052.001 Exfiltration over USB
CM-07 Least Functionality mitigates T1052.001 Exfiltration over USB
SI-04 System Monitoring mitigates T1052.001 Exfiltration over USB
AC-02 Account Management mitigates T1052.001 Exfiltration over USB
AC-03 Access Enforcement mitigates T1052.001 Exfiltration over USB
AC-06 Least Privilege mitigates T1052.001 Exfiltration over USB

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.confidentiality.data_disclosure None related-to T1052.001 Exfiltration over USB

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_endpoints Cloud Endpoints technique_scores T1052.001 Exfiltration over USB
Comments
The Cloud Endpoints capability can prevent exfiltration over USB by disabling USB file transfers on enrolled devices through features like device control.
References
  1. ['https://cloud.google.com/endpoints/docs'
  2. 'https://cloud.google.com/endpoints/docs/frameworks/python/migrating'
  3. 'https://support.google.com/a/answer/1734200']
google_secops Google Security Operations technique_scores T1052.001 Exfiltration over USB
Comments
Google Security Ops is able to trigger an alert based on events, such as "new USB device is connected to a system". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']