Home
ATT&CK Techniques
T1091 Replication Through Removable Media

T1091 Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-01.08	End-user device protection	Mitigates	T1091	Replication Through Removable Media	Comments This diagnostic statement protects endpoints from untrusted files on removable drives through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. References
DE.CM-09.02	Hardware integrity checking	Mitigates	T1091	Replication Through Removable Media	Comments This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. References
PR.PS-01.08	End-user device protection	Mitigates	T1091	Replication Through Removable Media	Comments This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1091	Replication Through Removable Media
MP-07	Media Use	mitigates	T1091	Replication Through Removable Media
SC-41	Port and I/O Device Access	mitigates	T1091	Replication Through Removable Media
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1091	Replication Through Removable Media
CM-08	System Component Inventory	mitigates	T1091	Replication Through Removable Media
SI-03	Malicious Code Protection	mitigates	T1091	Replication Through Removable Media
CM-02	Baseline Configuration	mitigates	T1091	Replication Through Removable Media
SI-04	System Monitoring	mitigates	T1091	Replication Through Removable Media
AC-03	Access Enforcement	mitigates	T1091	Replication Through Removable Media
AC-06	Least Privilege	mitigates	T1091	Replication Through Removable Media

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.malware.variety.Worm	Worm (propagate to other systems or devices)	related-to	T1091	Replication Through Removable Media
action.malware.vector.Removable media	Removable storage media or devices	related-to	T1091	Replication Through Removable Media
action.social.vector.Removable media	Removable storage media	related-to	T1091	Replication Through Removable Media