T1092: Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-1750: Process_From_Mounted_Disk: A process was started from a mounted disk hacking_tools: PT-CR-1857: USB_Rubber_Ducky: Possible RubberDucky USB activity

Detection

IDDS0016Data source and componentDrive: Drive CreationDescription

Monitor for newly executed processes when removable media is mounted.

IDDS0016Data source and componentDrive: Drive AccessDescription

Monitor for unexpected file access on removable media

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Disable Autoruns if it is unnecessary.

IDM1028NameOperating System ConfigurationDescription

Disallow or restrict removable media at an organizational policy level if they are not required for business operations.