Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0220: Detection of USB-Based Data Exfiltration

DET0220 is a detection strategy for spotting data exfiltration to USB devices, mapped to ATT&CK technique T1052.001. Its business significance is that USB...

EnterpriseDET0220Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0220 is a detection strategy for spotting data exfiltration to USB devices, mapped to ATT&CK technique T1052.001. Its business significance is that USB transfer can bypass network-focused monitoring and may be especially material in restricted or air-gapped environments where removable media can become the final path for data leaving the organization.

Executive priority

Leaders should treat this as a control-validation question: can the organization prove when removable media is connected, what data is written to it, by whom, and on which systems? This matters for incident decisions, insider-risk investigations, audit evidence, data-loss prevention, and operational resilience in environments where disconnected systems or sensitive workstations exist. Budget and governance discussions should focus on whether USB use is required for operations, where exceptions are allowed, and whether monitoring and response processes cover those exceptions.

Technical view

The supplied ATT&CK object has no official description, platforms, tactics, or detection text, but its relationship states that it detects T1052.001, Exfiltration over USB, under the exfiltration tactic and related to Linux, Windows, and macOS. SOC and detection engineering teams should validate whether endpoint telemetry can correlate removable-device insertion or mount events with file writes, bulk copy behavior, sensitive file access, user identity, host role, and device identifiers. IR teams should confirm they can reconstruct a timeline showing device connection, files staged or copied, user/session context, and whether the device moved between otherwise disconnected systems.

Likely telemetry

  • USB/removable media insertion, mount, unmount, and device identifier events
  • Endpoint file creation, modification, copy, and write events on removable volumes
  • EDR or host audit telemetry tying process activity to removable media paths
  • User logon/session context associated with the host at time of transfer
  • Asset inventory and host criticality for systems where removable media is permitted or prohibited

Detection direction

  • Validate that USB activity is logged on systems where the related technique platforms are relevant: Windows, Linux, and macOS.
  • Prioritize correlation over single events: device connection plus meaningful file writes is more useful than device insertion alone.
  • Tune for legitimate business workflows such as backups, imaging, field operations, lab transfers, and approved administrative media use to reduce false positives.
  • Create higher-priority logic for sensitive hosts, restricted networks, unusual users, after-hours activity, large transfers, repeated copy operations, or newly observed device identifiers.
  • Check blind spots where network DLP will not see the transfer, especially air-gapped or intermittently connected systems.

Mitigation priorities

  • Define where removable media is allowed, prohibited, or exception-based, and align monitoring to that policy.
  • Implement device-control and DLP controls where operationally feasible, with documented exceptions for required business use.
  • Reduce unnecessary USB access on sensitive systems and disconnected environments; pair exceptions with logging and review.
  • Maintain asset and data classification so SOC teams can prioritize USB activity involving high-value systems or sensitive data.
  • Prepare IR procedures for USB exfiltration investigations, including evidence preservation, device identification, user interviews, and scope review across hosts.
Analyst notes and limits

This take is derived from the detection strategy object DET0220 and its relationship to T1052.001, Exfiltration over USB. Because the official detection strategy fields are sparse, the most actionable value comes from validating telemetry and controls around the related USB exfiltration behavior rather than relying on ATT&CK-provided detection logic.

The ATT&CK object does not provide an official description, detection guidance, platforms, or tactics for DET0220 itself. Platform references come only from the related technique T1052.001. Local operating system configuration, endpoint tooling, DLP/device-control coverage, and removable media business processes are required to determine actual detection and mitigation coverage.

Official MITRE ATT&CK definition

Detection of USB-Based Data Exfiltration

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1052.001 Exfiltration over USB Sub-technique This object detects Exfiltration over USB.
Relationship explorer

All related ATT&CK context

detects · Technique T1052.001: Exfiltration over USB Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4c16ae21539a3fa1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4c16ae21539a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0220
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use