T1091: Replication Through Removable Media
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Mobile devices may also be used to infect PCs with malware if connected via USB. This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables. For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-1750: Process_From_Mounted_Disk: A process was started from a mounted disk hacking_tools: PT-CR-1857: USB_Rubber_Ducky: Possible RubberDucky USB activity
Detection
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for unexpected files accessed on removable media. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files on removable media |
---|
ID | DS0016 | Data source and component | Drive: Drive Creation | Description | Monitor for newly constructed drive letters or mount points to removable media |
---|
Mitigation
ID | M1034 | Name | Limit Hardware Installation | Description | Limit the use of USB devices and removable media within a network. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if it is not required for business operations. |
---|
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. |
---|