DET0123: Detection of Data Exfiltration via Removable Media
This detection strategy matters because removable media can bypass normal network egress controls and can be especially material in restricted, segmented,...
Analyst context for executives and security teams
This detection strategy matters because removable media can bypass normal network egress controls and can be especially material in restricted, segmented, or air-gapped environments. The supplied ATT&CK context ties it to Exfiltration Over Physical Medium, where USB drives, external disks, phones, or similar devices may be used to remove data or bridge disconnected systems.
Executive priority
Leaders should treat this as a control-validation topic for data loss, insider-risk response, and cyber-physical resilience rather than a purely technical alert. Key decisions include whether removable media use is business-justified, whether exceptions are governed, whether evidence exists for audits and investigations, and whether critical environments can prove both device control and file-movement visibility.
Technical view
Because the detection strategy object has no official description, detection text, platforms, or tactics, teams should anchor validation to the related ATT&CK technique T1052: Exfiltration Over Physical Medium, under exfiltration, with related platforms Linux, macOS, and Windows. SOC and IR teams should confirm they can correlate removable-device connection events with file copy/write activity, sensitive-data locations, user identity, host context, and time-based anomalies. Detection engineering should also account for legitimate administrative, backup, forensic, and operational technology workflows that may create similar activity.
Likely telemetry
- Removable media insertion, mounting, and removal events from endpoints
- Endpoint file creation, copy, write, rename, and delete activity involving removable volumes
- Operating system device identifiers, volume labels, serial numbers, and mount paths where available
- User logon/session context tied to device use
- Endpoint security, device control, or data loss prevention policy events
Detection direction
- Validate that endpoint telemetry can distinguish removable media activity from local disk and network share activity.
- Correlate device connection events with unusual volume or sensitivity of files written to removable media.
- Tune for authorized workflows such as backups, field operations, diagnostics, forensics, and administrative maintenance to reduce false positives.
- Prioritize monitoring on systems containing sensitive data, regulated records, critical operational files, or access to segmented environments.
- Check for blind spots on unmanaged hosts, offline systems, air-gapped networks, nonstandard removable devices, and systems where endpoint agents are not present or not logging device activity.
Mitigation priorities
- Establish policy for when removable media is allowed, prohibited, or exception-based.
- Enforce device control and least-privilege access for systems handling sensitive or critical data.
- Require logging and retention for removable media events sufficient for incident response and compliance evidence.
- Segment and harden high-value or air-gapped environments where physical media could become an exfiltration path or transfer bridge.
- Review business processes that depend on removable storage and replace them with governed transfer mechanisms where feasible.
Analyst notes and limits
The ATT&CK object is a detection strategy for DET0123 and only provides relationship context to T1052. The strongest practical use is as a coverage-assessment prompt: can the organization prove who used removable media, on which system, with what data movement, and under what approved business reason?
The supplied detection strategy has no official description, detection guidance, tactics, platforms, or labels. Any concrete detection logic, severity model, or platform-specific implementation requires local telemetry and policy context beyond the supplied ATT&CK fields.
Detection of Data Exfiltration via Removable Media
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1052 | Exfiltration Over Physical Medium | This object detects Exfiltration Over Physical Medium. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 81582300e963… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0123Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.