T1092 Communication Through Removable Media Mappings

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1092 Communication Through Removable Media
CM-6 Configuration Settings Protects T1092 Communication Through Removable Media
CM-7 Least Functionality Protects T1092 Communication Through Removable Media
CM-8 System Component Inventory Protects T1092 Communication Through Removable Media
MP-7 Media Use Protects T1092 Communication Through Removable Media
RA-5 Vulnerability Monitoring and Scanning Protects T1092 Communication Through Removable Media
SI-3 Malicious Code Protection Protects T1092 Communication Through Removable Media
SI-4 System Monitoring Protects T1092 Communication Through Removable Media
action.malware.vector.Removable media Removable storage media or devices related-to T1092 Communication Through Removable Media