T1092: Communication Through Removable Media

View on MITRE ATT&CK	T1092
Tactic(s)	Command and Control
Associated CAPEC Patterns	USB Memory Attacks (CAPEC-457)

Data from MITRE ATT&CK®:

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

How to detect this technique

MITRE ATT&CK Data Components

Drive Creation (Drive)

Initial construction of a drive letter or mount point to a data storage device

Drive Access (Drive)

Opening of a data storage device with an assigned drive letter or mount point

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
CM-6: Configuration Settings
CM-7: Least Functionality
RA-5: Vulnerability Monitoring and Scanning
MP-7: Media Use
SI-3: Malicious Code Protection
CM-2: Baseline Configuration
CM-8: System Component Inventory
SI-4: System Monitoring