Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1052.001 | Exfiltration over USB | |
| AC-6 | Least Privilege | Protects | T1052.001 | Exfiltration over USB | |
| CM-2 | Baseline Configuration | Protects | T1052.001 | Exfiltration over USB | |
| CM-6 | Configuration Settings | Protects | T1052.001 | Exfiltration over USB | |
| CM-8 | System Component Inventory | Protects | T1052.001 | Exfiltration over USB | |
| MP-7 | Media Use | Protects | T1052.001 | Exfiltration over USB | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1052.001 | Exfiltration over USB | |
| SC-41 | Port and I/O Device Access | Protects | T1052.001 | Exfiltration over USB | |
| SI-3 | Malicious Code Protection | Protects | T1052.001 | Exfiltration over USB | |
| SI-4 | System Monitoring | Protects | T1052.001 | Exfiltration over USB |