Exfiltration Over Physical Medium (T1052)

Tactic: Exfiltration

Tactics: Exfiltration
Platforms: Linux, macOS, Windows
Reference: attack.mitre.org/techniques/T1052

Description

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Sub-techniques

T1052.001 — Exfiltration over USB

How GTK Cyber trains on this

GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Exfiltration tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.

Threat Hunting with Data Science → · All training courses

Related techniques

Train your team to detect attacks like this.

GTK Cyber's Threat Hunting with Data Science course is taught by practitioners who detect this stuff for a living.

Explore Threat Hunting Training