Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1091 | Replication Through Removable Media | |
| MP-07 | Media Use | mitigates | T1091 | Replication Through Removable Media | |
| SC-41 | Port and I/O Device Access | mitigates | T1091 | Replication Through Removable Media | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1091 | Replication Through Removable Media | |
| CM-08 | System Component Inventory | mitigates | T1091 | Replication Through Removable Media | |
| SI-03 | Malicious Code Protection | mitigates | T1091 | Replication Through Removable Media | |
| CM-02 | Baseline Configuration | mitigates | T1091 | Replication Through Removable Media | |
| SI-04 | System Monitoring | mitigates | T1091 | Replication Through Removable Media | |
| AC-03 | Access Enforcement | mitigates | T1091 | Replication Through Removable Media | |
| AC-06 | Least Privilege | mitigates | T1091 | Replication Through Removable Media |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2024-50302 | Linux Kernel Use of Uninitialized Resource Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.
References
|
| CVE-2025-24985 | Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
An attacker can trick users into executing malicious code by mounting images or drives. This code exploits vulnerabilities in the Windows Fast FAT File System Driver.
References
|
| CVE-2025-24991 | Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
This vulnerability is facilitated by the insertion of information into log files, which could lead to the disclosure of said sensitive information through an attack. In order to exploit this vulnerability, an attacker needs physical access to the system, such as the ability to mount an external drive.
References
|
| CVE-2024-53197 | Linux Kernel Out-of-Bounds Access Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
Using a malicious USB device, an attacker can trigger an out-of-bounds heap write in the kernel, allowing the attacker to obtain root access and potentiall execute arbitrary code.
References
|
| CVE-2024-53150 | Linux Kernel Out-of-Bounds Read Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
By crafting a malicious USB audio device, an attacker can trigger an out-of-bounds read error in the kernel, potentially exposing sensitive kernel information.
References
|
| CVE-2024-53104 | Linux Kernel Out-of-Bounds Write Vulnerability | exploitation_technique | T1091 | Replication Through Removable Media |
Comments
By creating or modifying a USB video device, an attacker can send an undefined video frame to trigger an out-of-bounds write, leading to privilege escalation and potential arbitrary code execution.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Worm | Worm (propagate to other systems or devices) | related-to | T1091 | Replication Through Removable Media | |
| action.malware.vector.Removable media | Removable storage media or devices | related-to | T1091 | Replication Through Removable Media | |
| action.social.vector.Removable media | Removable storage media | related-to | T1091 | Replication Through Removable Media |