T1052 Exfiltration Over Physical Medium Mappings

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1052 Exfiltration Over Physical Medium
AC-6 Least Privilege Protects T1052 Exfiltration Over Physical Medium
CM-2 Baseline Configuration Protects T1052 Exfiltration Over Physical Medium
CM-6 Configuration Settings Protects T1052 Exfiltration Over Physical Medium
CM-8 System Component Inventory Protects T1052 Exfiltration Over Physical Medium
MP-7 Media Use Protects T1052 Exfiltration Over Physical Medium
RA-5 Vulnerability Monitoring and Scanning Protects T1052 Exfiltration Over Physical Medium
SC-41 Port and I/O Device Access Protects T1052 Exfiltration Over Physical Medium
SI-3 Malicious Code Protection Protects T1052 Exfiltration Over Physical Medium
SI-4 System Monitoring Protects T1052 Exfiltration Over Physical Medium
action.malware.variety.Export data Export data to another site or system related-to T1052 Exfiltration Over Physical Medium

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1052.001 Exfiltration over USB 11