T1091 Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.08 End-user device protection Mitigates T1091 Replication Through Removable Media
Comments
This diagnostic statement protects endpoints from untrusted files on removable drives through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
    DE.CM-09.02 Hardware integrity checking Mitigates T1091 Replication Through Removable Media
    Comments
    This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
    References
      PR.PS-01.08 End-user device protection Mitigates T1091 Replication Through Removable Media
      Comments
      This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
      References

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
        action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media
        action.social.vector.Removable media Removable storage media related-to T1091 Replication Through Removable Media