T1092: Communication Through Removable Media
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-3134: Subrule_Possible_Process_From_Mounted_Disk: Possible startup of a process from a mounted disk mitre_attck_defense_evasion: PT-CR-1750: Process_From_Mounted_Disk: A user started a process from a mounted disk. Attackers use mounted devices to bypass security and run malicious files. hacking_tools: PT-CR-1857: USB_Rubber_Ducky: Possible RubberDucky USB activity
Detection
| ID | DS0016 | Data source and component | Drive: Drive Creation | Description | Monitor for newly executed processes when removable media is mounted. |
|---|
| ID | DS0016 | Data source and component | Drive: Drive Access | Description | Monitor for unexpected file access on removable media |
|---|
Mitigation
| ID | M1042 | Name | Disable or Remove Feature or Program | Description | Disable Autoruns if it is unnecessary. |
|---|
| ID | M1028 | Name | Operating System Configuration | Description | Disallow or restrict removable media at an organizational policy level if they are not required for business operations. |
|---|