Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1092 | Communication Through Removable Media | |
| MP-07 | Media Use | mitigates | T1092 | Communication Through Removable Media | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1092 | Communication Through Removable Media | |
| CM-08 | System Component Inventory | mitigates | T1092 | Communication Through Removable Media | |
| SI-03 | Malicious Code Protection | mitigates | T1092 | Communication Through Removable Media | |
| CM-02 | Baseline Configuration | mitigates | T1092 | Communication Through Removable Media | |
| CM-07 | Least Functionality | mitigates | T1092 | Communication Through Removable Media | |
| SI-04 | System Monitoring | mitigates | T1092 | Communication Through Removable Media |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1092 | Communication Through Removable Media | |
| action.malware.vector.Removable media | Removable storage media or devices | related-to | T1092 | Communication Through Removable Media |