title: Exfiltration over USB (T1052.001)
id: df00tech-t1052-001
status: experimental
description: "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. Threat actors including APT30 (SPACESHIP), ProjectSauron (Remsec), APT28 (USBStealer), Tropic Trooper, Mustang Panda, and malware families like Agent.btz and Machete have all used USB-based exfiltration techniques."
references:
  - https://attack.mitre.org/techniques/T1052/001/
  - https://df00tech.com/detections/T1052.001
author: df00tech
date: 2026/04/17
tags:
  - attack.t1052.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT asset backup operations copying files to external drives for archival or disaster recovery
  - Software developers copying build artifacts or source code to USB drives for air-gapped deployment
  - Users performing authorized transfers of their own work files to external media per company policy
  - "Automated backup software (e.g., Windows Backup, third-party tools) that writes to removable drives on a schedule"
level: high