Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides protection from Communication Through Removable Media through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1092 | Communication Through Removable Media | |
| MP-07 | Media Use | mitigates | T1092 | Communication Through Removable Media | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1092 | Communication Through Removable Media | |
| CM-08 | System Component Inventory | mitigates | T1092 | Communication Through Removable Media | |
| SI-03 | Malicious Code Protection | mitigates | T1092 | Communication Through Removable Media | |
| CM-02 | Baseline Configuration | mitigates | T1092 | Communication Through Removable Media | |
| CM-07 | Least Functionality | mitigates | T1092 | Communication Through Removable Media | |
| SI-04 | System Monitoring | mitigates | T1092 | Communication Through Removable Media |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1092 | Communication Through Removable Media | |
| action.malware.vector.Removable media | Removable storage media or devices | related-to | T1092 | Communication Through Removable Media |