216.73.217.22

T1052: Exfiltration Over Physical Medium

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1052
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Aliases

T1052

Platforms

windows macos linux

Description

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Kill chain phases

Kill chainPhase
mitre-attack exfiltration

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Malware (3)

  • Lumma Stealer uses
    Family
    Published 08/06/2026 19:36 · Modified 08/06/2026 19:36
  • SectopRAT uses
    Family
    Published 26/05/2026 15:20 · Modified 26/05/2026 15:20
  • Xorddos uses
    Family
    Published 14/04/2026 08:54 · Modified 14/04/2026 08:54

Reports (2)

Attack patterns (MITRE) (1)

Course Of Action (3)

  • Limit Hardware Installation mitigates
  • Disable or Remove Feature or Program mitigates
  • Data Loss Prevention mitigates