Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-09 | Anti-Malware Detection and Prevention | mitigates | T1092 | Communication Through Removable Media |
Comments
This control describes the implementation of endpoint security, including anti-malware software, to mitigate the risk of exploitation by threat actors. The implementation guidance provides several examples of that the technical measures under Anti-Malware should aid with preventing which include:
Scan installed software and system data content to identify and remove unauthorized code/software.
Prohibit the use of installation of unauthorized software.
Restricting on obtaining malicious data and software from external networks.
Endpoint removable media management.
References
|