1. Home
  2. ATT&CK Techniques
  3. T1052.001 Exfiltration over USB

T1052.001 Exfiltration over USB

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-03.01 Alternative resilience mechanisms Mitigates T1052.001 Exfiltration over USB
Comments
This diagnostic statement protects against Exfiltration over USB through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
References
    DE.CM-01.04 Unauthorized device connection Mitigates T1052.001 Exfiltration over USB
    Comments
    This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices.
    References
      PR.DS-01.02 Data loss prevention Mitigates T1052.001 Exfiltration over USB
      Comments
      The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
      References
        PR.DS-10.01 Data-in-use protection Mitigates T1052.001 Exfiltration over USB
        Comments
        This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
        References
          PR.PS-01.08 End-user device protection Mitigates T1052.001 Exfiltration over USB
          Comments
          This diagnostic statement protects against Exfiltration over USB through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1052.001 Exfiltration over USB
            CM-06 Configuration Settings mitigates T1052.001 Exfiltration over USB
            MP-07 Media Use mitigates T1052.001 Exfiltration over USB
            SC-41 Port and I/O Device Access mitigates T1052.001 Exfiltration over USB
            AC-23 Data Mining Protection mitigates T1052.001 Exfiltration over USB
            SR-04 Provenance mitigates T1052.001 Exfiltration over USB
            SC-28 Protection of Information at Rest mitigates T1052.001 Exfiltration over USB
            RA-05 Vulnerability Monitoring and Scanning mitigates T1052.001 Exfiltration over USB
            CM-08 System Component Inventory mitigates T1052.001 Exfiltration over USB
            SI-03 Malicious Code Protection mitigates T1052.001 Exfiltration over USB
            AC-16 Security and Privacy Attributes mitigates T1052.001 Exfiltration over USB
            AC-20 Use of External Systems mitigates T1052.001 Exfiltration over USB
            CM-02 Baseline Configuration mitigates T1052.001 Exfiltration over USB
            SA-08 Security and Privacy Engineering Principles mitigates T1052.001 Exfiltration over USB
            CM-07 Least Functionality mitigates T1052.001 Exfiltration over USB
            SI-04 System Monitoring mitigates T1052.001 Exfiltration over USB
            AC-02 Account Management mitigates T1052.001 Exfiltration over USB
            AC-03 Access Enforcement mitigates T1052.001 Exfiltration over USB
            AC-06 Least Privilege mitigates T1052.001 Exfiltration over USB

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            attribute.confidentiality.data_disclosure None related-to T1052.001 Exfiltration over USB

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            cloud_endpoints Cloud Endpoints technique_scores T1052.001 Exfiltration over USB
            Comments
            The Cloud Endpoints capability can prevent exfiltration over USB by disabling USB file transfers on enrolled devices through features like device control.
            References
            1. ['https://cloud.google.com/endpoints/docs'
            2. 'https://cloud.google.com/endpoints/docs/frameworks/python/migrating'
            3. 'https://support.google.com/a/answer/1734200']
            google_secops Google Security Operations technique_scores T1052.001 Exfiltration over USB
            Comments
            Google Security Ops is able to trigger an alert based on events, such as "new USB device is connected to a system". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral
            References
            1. ['https://cloud.google.com/security/products/security-operations'
            2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
            3. 'https://github.com/chronicle/detection-rules']