T1052.001: Exfiltration over USB
Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
Monitoring of events with Windows Security Log ID 6416 in order to detect unauthorized USB device connections.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes when removable media is mounted |
|---|
| ID | DS0016 | Data source and component | Drive: Drive Creation | Description | Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device. |
|---|
| ID | DS0022 | Data source and component | File: File Access | Description | Monitor file access on removable media that may attempt to exfiltrate data over a USB connected physical device. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device. |
|---|
Mitigation
| ID | M1057 | Name | Data Loss Prevention | Description | Data loss prevention can detect and block sensitive data being copied to USB devices. |
|---|
| ID | M1042 | Name | Disable or Remove Feature or Program | Description | Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if they are not required for business operations. |
|---|
| ID | M1034 | Name | Limit Hardware Installation | Description | Limit the use of USB devices and removable media within a network. |
|---|