1. Home
  2. ATT&CK Techniques
  3. T1091 Replication Through Removable Media

T1091 Replication Through Removable Media Mappings

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1091 Replication Through Removable Media
AC-6 Least Privilege Protects T1091 Replication Through Removable Media
CM-2 Baseline Configuration Protects T1091 Replication Through Removable Media
CM-6 Configuration Settings Protects T1091 Replication Through Removable Media
CM-8 System Component Inventory Protects T1091 Replication Through Removable Media
MP-7 Media Use Protects T1091 Replication Through Removable Media
RA-5 Vulnerability Monitoring and Scanning Protects T1091 Replication Through Removable Media
SC-41 Port and I/O Device Access Protects T1091 Replication Through Removable Media
SI-3 Malicious Code Protection Protects T1091 Replication Through Removable Media
SI-4 System Monitoring Protects T1091 Replication Through Removable Media
CVE-2019-15959 Cisco SPA525G2 5-line IP Phone exploitation_technique T1091 Replication Through Removable Media
CVE-2018-15376 Cisco IOS Software exploitation_technique T1091 Replication Through Removable Media
CVE-2020-3198 Cisco IOS 12.2(60)EZ16 exploitation_technique T1091 Replication Through Removable Media
CVE-2020-4068 APNSwift exploitation_technique T1091 Replication Through Removable Media
CVE-2020-12024 Baxter ExactaMix EM 2400 & EM 1200 primary_impact T1091 Replication Through Removable Media
CVE-2015-1769 n/a uncategorized T1091 Replication Through Removable Media
CVE-2020-7456 FreeBSD uncategorized T1091 Replication Through Removable Media
CVE-2020-12464 n/a uncategorized T1091 Replication Through Removable Media
CVE-2020-15393 n/a uncategorized T1091 Replication Through Removable Media
CVE-2020-9804 macOS uncategorized T1091 Replication Through Removable Media
action.malware.variety.Worm Worm (propagate to other systems or devices) related-to T1091 Replication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1091 Replication Through Removable Media