T1092 Communication Through Removable Media Mappings

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1092 Communication Through Removable Media
MP-07 Media Use mitigates T1092 Communication Through Removable Media
RA-05 Vulnerability Monitoring and Scanning mitigates T1092 Communication Through Removable Media
CM-08 System Component Inventory mitigates T1092 Communication Through Removable Media
SI-03 Malicious Code Protection mitigates T1092 Communication Through Removable Media
CM-02 Baseline Configuration mitigates T1092 Communication Through Removable Media
CM-07 Least Functionality mitigates T1092 Communication Through Removable Media
SI-04 System Monitoring mitigates T1092 Communication Through Removable Media

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1092 Communication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media