← Back to Explore
T1052
Exfiltration Over Physical Medium
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
LinuxmacOSWindows
6
Detections
2
Sources
0
Threat Actors
BY SOURCE
4elastic2crowdstrike_cql
PROCEDURES (4)
General Monitoring2 detections
Auto-extracted: 2 detections for general monitoring
Unusual1 detections
Auto-extracted: 1 detections for unusual
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
Unusual1 detections
Auto-extracted: 1 detections for unusual
DETECTIONS (6)
Detect Data Exfiltration via external storage devices
crowdstrike_cql
Detect Data Exfiltration via external storage devices
crowdstrike_cql
First Time Seen Removable Device
elasticlow
New USB Storage Device Mounted
elasticlow
Spike in Bytes Sent to an External Device
elasticlow
Unusual Process Writing Data to an External Device
elasticlow