Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.[1] Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[2] |
| S0023 | CHOPSTICK |
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[3][4][2] |
| S0136 | USBStealer |
USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable Autoruns if it is unnecessary.[5] |
| M1028 | Operating System Configuration |
Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[6] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0016 | Drive | Drive Access |
Monitor for unexpected file access on removable media |
| Drive Creation |
Monitor for newly executed processes when removable media is mounted. |