Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1091 | Replication Through Removable Media | |
| MP-07 | Media Use | mitigates | T1091 | Replication Through Removable Media | |
| SC-41 | Port and I/O Device Access | mitigates | T1091 | Replication Through Removable Media | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1091 | Replication Through Removable Media | |
| CM-08 | System Component Inventory | mitigates | T1091 | Replication Through Removable Media | |
| SI-03 | Malicious Code Protection | mitigates | T1091 | Replication Through Removable Media | |
| CM-02 | Baseline Configuration | mitigates | T1091 | Replication Through Removable Media | |
| SI-04 | System Monitoring | mitigates | T1091 | Replication Through Removable Media | |
| AC-03 | Access Enforcement | mitigates | T1091 | Replication Through Removable Media | |
| AC-06 | Least Privilege | mitigates | T1091 | Replication Through Removable Media |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Worm | Worm (propagate to other systems or devices) | related-to | T1091 | Replication Through Removable Media | |
| action.malware.vector.Removable media | Removable storage media or devices | related-to | T1091 | Replication Through Removable Media | |
| action.social.vector.Removable media | Removable storage media | related-to | T1091 | Replication Through Removable Media |