1. Home
  2. ATT&CK Techniques
  3. T1092
Command and Control

T1092: Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBSt...

T1092 · Technique ·3 platforms ·1 groups

Description

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Platforms

LinuxmacOSWindows

Mitigations (2)

Disable or Remove Feature or ProgramM1042

Disable Autoruns if it is unnecessary.(Citation: Microsoft Disable Autorun)

Operating System ConfigurationM1028

Disallow or restrict removable media at an organizational policy level if they are not required for business operations.(Citation: TechNet Removable Media Control)

Threat Groups (1)

IDGroupContext
G0007APT28[APT28](https://attack.mitre.org/groups/G0007) uses a tool that captures information from air-gapped computers via an infected USB and transfers it to...

Associated Software (2)

IDNameTypeContext
S0023CHOPSTICKMalwarePart of [APT28](https://attack.mitre.org/groups/G0007)'s operation involved using [CHOPSTICK](https://attack.mitre.org/software/S0023) modules to copy...
S0136USBStealerMalware[USBStealer](https://attack.mitre.org/software/S0136) drops commands for a second victim onto a removable media drive inserted into the first victim, ...

References

Frequently Asked Questions

What is T1092 (Communication Through Removable Media)?

T1092 is a MITRE ATT&CK technique named 'Communication Through Removable Media'. It belongs to the Command and Control tactic(s). Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBSt...

How can T1092 be detected?

Detection of T1092 (Communication Through Removable Media) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1092?

There are 2 documented mitigations for T1092. Key mitigations include: Disable or Remove Feature or Program, Operating System Configuration.

Which threat groups use T1092?

Known threat groups using T1092 include: APT28.