T1092 Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1092 Communication Through Removable Media
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1092 Communication Through Removable Media
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.DS-01.03 Removable media protection Mitigates T1092 Communication Through Removable Media
      Comments
      This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1092 Communication Through Removable Media
        Comments
        This diagnostic statement provides protection from Communication Through Removable Media through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CM-06 Configuration Settings mitigates T1092 Communication Through Removable Media
          MP-07 Media Use mitigates T1092 Communication Through Removable Media
          RA-05 Vulnerability Monitoring and Scanning mitigates T1092 Communication Through Removable Media
          CM-08 System Component Inventory mitigates T1092 Communication Through Removable Media
          SI-03 Malicious Code Protection mitigates T1092 Communication Through Removable Media
          CM-02 Baseline Configuration mitigates T1092 Communication Through Removable Media
          CM-07 Least Functionality mitigates T1092 Communication Through Removable Media
          SI-04 System Monitoring mitigates T1092 Communication Through Removable Media

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1092 Communication Through Removable Media
          action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media