Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1052 | Exfiltration Over Physical Medium |
| AC-6 | Least Privilege | Protects | T1052 | Exfiltration Over Physical Medium |
| CM-2 | Baseline Configuration | Protects | T1052 | Exfiltration Over Physical Medium |
| CM-6 | Configuration Settings | Protects | T1052 | Exfiltration Over Physical Medium |
| CM-8 | System Component Inventory | Protects | T1052 | Exfiltration Over Physical Medium |
| MP-7 | Media Use | Protects | T1052 | Exfiltration Over Physical Medium |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1052 | Exfiltration Over Physical Medium |
| SC-41 | Port and I/O Device Access | Protects | T1052 | Exfiltration Over Physical Medium |
| SI-3 | Malicious Code Protection | Protects | T1052 | Exfiltration Over Physical Medium |
| SI-4 | System Monitoring | Protects | T1052 | Exfiltration Over Physical Medium |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1052 | Exfiltration Over Physical Medium |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1052.001 | Exfiltration over USB | 11 |