1. Home
  2. ATT&CK Techniques
  3. T1052
Exfiltration

T1052: Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical...

T1052 · Technique ·3 platforms

Description

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Platforms

LinuxmacOSWindows

Sub-Techniques (1)

T1052.001

Exfiltration over USB

Mitigations (3)

Data Loss PreventionM1057

Data loss prevention can detect and block sensitive data being copied to physical mediums.

Limit Hardware InstallationM1034

Limit the use of USB devices and removable media within a network.

Disable or Remove Feature or ProgramM1042

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

Frequently Asked Questions

What is T1052 (Exfiltration Over Physical Medium)?

T1052 is a MITRE ATT&CK technique named 'Exfiltration Over Physical Medium'. It belongs to the Exfiltration tactic(s). Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical...

How can T1052 be detected?

Detection of T1052 (Exfiltration Over Physical Medium) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1052?

There are 3 documented mitigations for T1052. Key mitigations include: Data Loss Prevention, Limit Hardware Installation, Disable or Remove Feature or Program.

Which threat groups use T1052?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.