Description
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Some adversaries may also use Automated Collection on removable media.
Platforms
Mitigations (1)
Data Loss PreventionM1057
Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used Wireshark’s usbcapcmd utility to capture USB traffic.(Citation: Symantec Crambus OCT 2023) |
| G0047 | Gamaredon Group | A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer has the capability to steal data from newly connected logical volumes on a sys... |
| G0007 | APT28 | An [APT28](https://attack.mitre.org/groups/G0007) backdoor may collect the entire contents of an inserted USB device.(Citation: Microsoft SIR Vol 19) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors can collect files from USB thumb drives.(Citation: ESET Turla PowerShell May 2019)(Citati... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0136 | USBStealer | Malware | Once a removable media device is inserted back into the first victim, [USBStealer](https://attack.mitre.org/software/S0136) collects data from it that... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can collect jpeg files from connected MTP devices.(Citation: ESET InvisiMole June 2020) |
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has the ability to collect data from USB devices.(Citation: CheckPoint Naikon May 2020) |
| S0569 | Explosive | Malware | [Explosive](https://attack.mitre.org/software/S0569) can scan all .exe files located in the USB drive.(Citation: CheckPoint Volatile Cedar March 2015)... |
| S0237 | GravityRAT | Malware | [GravityRAT](https://attack.mitre.org/software/S0237) steals files based on an extension list if a USB drive is connected to the system.(Citation: Tal... |
| S0090 | Rover | Malware | [Rover](https://attack.mitre.org/software/S0090) searches for files on attached removable drives based on a predefined list of file extensions every f... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim mac... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) has a package that collects documents from any inserted USB sticks.(Citation: Kaspersky ProjectSauro... |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) copies files with certain extensions from USB devices to a predefined directory.(Citation: TrendMic... |
| S0113 | Prikormka | Malware | [Prikormka](https://attack.mitre.org/software/S0113) contains a module that collects documents with certain extensions from removable media or fixed d... |
| S0538 | Crutch | Malware | [Crutch](https://attack.mitre.org/software/S0538) can monitor removable drives and exfiltrate files matching a given extension list.(Citation: ESET Cr... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) contains a module to collect data from removable drives.(Citation: Proofpoint Operation Transparent... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) can find, encrypt, and upload files from fixed and removable drives.(Citation: Cylance Machete Mar ... |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) has the ability to extract data from removable devices connected to the endpoint.(Citation: Talo... |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal written CD images and files of interest from previously connected removab... |
| S0036 | FLASHFLOOD | Malware | [FLASHFLOOD](https://attack.mitre.org/software/S0036) searches for interesting files (either a default or customized set of file extensions) on remova... |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) can find and collect data from removable media devices.(Citation: Malwarebytes Kimsuky June 2021)... |
| S1044 | FunnyDream | Malware | The [FunnyDream](https://attack.mitre.org/software/S1044) FilePakMonitor component has the ability to collect files from removable devices.(Citation: ... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can collect data from removable media and stage it for exfiltration.(Citation: Eset Ramsay May 2020)... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) steals user files from removable media with file extensions and keywords that match a predefined... |
Frequently Asked Questions
What is T1025 (Data from Removable Media)?
T1025 is a MITRE ATT&CK technique named 'Data from Removable Media'. It belongs to the Collection tactic(s). Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory,...
How can T1025 be detected?
Detection of T1025 (Data from Removable Media) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1025?
There are 1 documented mitigations for T1025. Key mitigations include: Data Loss Prevention.
Which threat groups use T1025?
Known threat groups using T1025 include: OilRig, Gamaredon Group, APT28, Turla.