Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1092 | Communication Through Removable Media |
| CM-6 | Configuration Settings | Protects | T1092 | Communication Through Removable Media |
| CM-7 | Least Functionality | Protects | T1092 | Communication Through Removable Media |
| CM-8 | System Component Inventory | Protects | T1092 | Communication Through Removable Media |
| MP-7 | Media Use | Protects | T1092 | Communication Through Removable Media |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1092 | Communication Through Removable Media |
| SI-3 | Malicious Code Protection | Protects | T1092 | Communication Through Removable Media |
| SI-4 | System Monitoring | Protects | T1092 | Communication Through Removable Media |
| action.malware.vector.Removable media | Removable storage media or devices | related-to | T1092 | Communication Through Removable Media |