Description
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)
Limit Hardware InstallationM1034
Limit the use of USB devices and removable media within a network.
Data Loss PreventionM1057
Data loss prevention can detect and block sensitive data being copied to USB devices.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has exfiltrated data using USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used a customized [PlugX](https://attack.mitre.org/software/S0013) variant which could exfi... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0035 | SPACESHIP | Malware | [SPACESHIP](https://attack.mitre.org/software/S0035) copies staged data to removable drives when they are inserted into the system.(Citation: FireEye ... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) contains a module to move data from airgapped networks to Internet-connected systems by using a remo... |
| S0136 | USBStealer | Malware | [USBStealer](https://attack.mitre.org/software/S0136) exfiltrates collected files via removable media from air-gapped victims.(Citation: ESET Sednit U... |
| S0092 | Agent.btz | Malware | [Agent.btz](https://attack.mitre.org/software/S0092) creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) has a feature to copy files from every drive onto a removable drive in a hidden folder.(Citation: E... |
Frequently Asked Questions
What is T1052.001 (Exfiltration over USB)?
T1052.001 is a MITRE ATT&CK technique named 'Exfiltration over USB'. It belongs to the Exfiltration tactic(s). Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduce...
How can T1052.001 be detected?
Detection of T1052.001 (Exfiltration over USB) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1052.001?
There are 3 documented mitigations for T1052.001. Key mitigations include: Disable or Remove Feature or Program, Limit Hardware Installation, Data Loss Prevention.
Which threat groups use T1052.001?
Known threat groups using T1052.001 include: Tropic Trooper, Mustang Panda.