Data from Removable Media (T1025)
Tactic: Collection · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 1 mitigation, 4 threat groups, 20 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Some adversaries may also use Automated Collection on removable media.