ITM is an open framework - Submit your contributions now.

Infringement

Account Sharing

Service Account Sharing

Data Loss

Denial of Service

Disruption of Business Operations

Excessive Personal Use

Exfiltration via Email

Exfiltration via Media Capture

Exfiltration via Messaging Applications

Exfiltration via Other Network Medium

Exfiltration via Physical Medium

Exfiltration via Screen Sharing

Exfiltration via Web Service

Harassment and Discrimination

Inappropriate Web Browsing

Installing Malicious Software

Installing Unapproved Software

Misappropriation of Funds

Non-Corporate Device

Providing Access to a Unauthorized Third Party

Public Statements Resulting in Brand Damage

Regulatory Non-Compliance

Sharing on AI Chatbot Platforms

Theft

Unauthorized Changes to IT Systems

Unauthorized Printing of Documents

Unauthorized VPN Client

Unlawfully Accessing Copyrighted Material

ID: IF002
Created: 31st May 2024
Updated: 23rd October 2025
MITRE ATT&CK®: T1052T1052.001
Contributor: The ITM Team

Exfiltration via Physical Medium

A subject may exfiltrate data via a physical medium, such as a removable drive.

Subsections (10)

ID	Name	Description
IF002.010	Exfiltration via Bring Your Own Device (BYOD)	A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.
IF002.009	Exfiltration via Disk Media	A subject exfiltrates data using writeable disk media.
IF002.004	Exfiltration via Floppy Disk	A subject exfiltrates data using a floppy disk drive.
IF002.003	Exfiltration via New Internal Drive	A subject exfiltrates data by connecting an additional drive to a system using the Serial Advanced Technology Attachment (SATA) interface on a motherboard, and copying files to the new storage device.
IF002.002	Exfiltration via Physical Access to System Drive	A subject exfiltrates data by retrieving the physical drive used by a system.
IF002.005	Exfiltration via Physical Documents	A subject tansports physical documents outside of the control of the organization.
IF002.007	Exfiltration via Target Disk Mode	When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
IF002.008	Exfiltration via USB to Mobile Device	The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

Preventions (2)

Detections (3)

MITRE ATT&CK® Mapping (2)

ATT&CK Enterprise Matrix Version 17.1