Home/ATT&CK Technique/Exfiltration Over Physical Medium
ATT&CK Technique

Exfiltration Over Physical Medium

T1052 · exfiltration

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device.

The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

LinuxmacOSWindows

Actors Using This

10
chinaAoqin Dragon
israel_private_sector_mobile_forensics_cyber_mercenaryCellebrite
united_statesEquation Group
us_israel_joint_offensive_cyber_speculationGauss
chinaGoblin Panda
chinaMustang Panda
chinaNaikon
suspected_state_aligned_unattributedProject Sauron / Strider
chinaTropic Trooper
chinaUNC4191

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589.002 · Email Addresses ×3.10T1589 · Gather Victim Identity Information ×2.86
resource-development earlier
T1587.002 · Code Signing Certificates ×2.30
persistence earlier
T1098 · Account Manipulation ×1.94
privilege-escalation earlier
T1546 · Event Triggered Execution ×3.05
discovery earlier
T1120 · Peripheral Device Discovery ×10.20T1012 · Query Registry ×2.09
lateral-movement earlier
T1091 · Replication Through Removable Media ×14.28T1080 · Taint Shared Content ×3.97
collection earlier
T1025 · Data from Removable Media ×9.26
command-and-control earlier
T1071.003 · Mail Protocols ×2.86
exfiltration same
T1052.001 · Exfiltration over USB ×23.80T1029 · Scheduled Transfer ×2.07
other same
T1564 · Hide Artifacts ×2.38T1027.001 · Binary Padding ×2.30

Mitigations

3
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1034Limit Hardware Installation

Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices.

Disable USB Ports and Hardware Installation Policies
  • Use Group Policy Objects (GPO) to disable USB mass storage devices:.
  • Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
  • Deny write and read access to USB devices.
  • Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.
Deploy Endpoint Protection and Device Control Solutions
  • Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
  • Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.
Harden BIOS/UEFI and System Firmware
  • Set strong passwords for BIOS/UEFI access.
  • Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.
Restrict Peripheral Devices and Drivers
  • Use Windows Device Manager Policies to block installation of unapproved drivers.
  • Monitor hardware installation attempts through endpoint monitoring tools.
Disable Bluetooth and Wireless Hardware
  • Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
  • Restrict hardware pairing to approved devices only.
Logging and Monitoring
  • Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
  • Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.
Tools for Implementation USB and Device Control
  • Microsoft Group Policy Objects (GPO)
  • Microsoft Defender for Endpoint.
  • Symantec Endpoint Protection.
McAfee Device Control Endpoint Monitoring
  • EDRs.
OSSEC (open-source host-based IDS) Hardware Whitelisting
  • BitLocker for external drives (Windows)
  • Windows Device Installation Policies.
Device Control BIOS/UEFI Security
  • Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
M1057Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks.

Sensitive Data Categorization
  • Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
  • Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.
Exfiltration Restrictions
  • Use Case: Prevent unauthorized transmission of sensitive data.
  • Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.
Data-in-Transit Monitoring
  • Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
  • Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.
Endpoint Data Protection
  • Use Case: Monitor and control sensitive data usage on endpoints.
  • Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.
Cloud Data Security
  • Use Case: Protect data stored in cloud platforms.
  • Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-02, AC-03, AC-06, AC-16, AC-20, AC-23, CA-07, CM-02, CM-06, CM-07, CM-08, MP-07, RA-05, SA-08, SC-28, SC-41, SI-03, SI-04, SR-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin