T1052: Exfiltration Over Physical Medium

Data from MITRE ATT&CK®:

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Data Loss Prevention

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

Limit Hardware Installation

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Drive Creation (Drive)

Initial construction of a drive letter or mount point to a data storage device

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )