title: Exfiltration Over Physical Medium (T1052)
id: df00tech-t1052
status: experimental
description: "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems."
references:
  - https://attack.mitre.org/techniques/T1052/
  - https://df00tech.com/detections/T1052
author: df00tech
date: 2026/04/16
tags:
  - attack.t1052
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing legitimate data backups to external drives as part of scheduled maintenance procedures
  - Employees transferring personal files to USB drives at the end of their workday for personal use (common without DLP policy enforcement)
  - Software developers deploying compiled builds or configuration files to USB drives for air-gapped test environments
  - "Help desk technicians using bootable USB drives (Ventoy, Rufus) that trigger mount events and may include file operations during imaging workflows"
  - Authorized data migration projects where large volumes of files are moved to external media under change management
level: high