T1052: Exfiltration Over Physical Medium

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0022Data source and componentFile: File AccessDescription

Monitor file access on removable media that may attempt to exfiltrate data via a physical medium, such as a removable drive.

IDDS0016Data source and componentDrive: Drive CreationDescription

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data via a physical medium, such as a removable drive.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes when removable media is mounted.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to exfiltrate data via a physical medium, such as a removable drive.

Mitigation

IDM1034NameLimit Hardware InstallationDescription

Limit the use of USB devices and removable media within a network.

IDM1042NameDisable or Remove Feature or ProgramDescription

Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if they are not required for business operations.

IDM1057NameData Loss PreventionDescription

Data loss prevention can detect and block sensitive data being copied to physical mediums.