Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.[1] Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

ID: T1092
Sub-techniques:  No sub-techniques
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 31 May 2017
Last Modified: 31 January 2024

Procedure Examples

ID Name Description
G0007 APT28

APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.[2]


Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[3][4][2]

S0136 USBStealer

USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.[1]


ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Autoruns if it is unnecessary.[5]

M1028 Operating System Configuration

Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[6]


ID Data Source Data Component Detects
DS0016 Drive Drive Access

Monitor for unexpected file access on removable media

Drive Creation

Monitor for newly executed processes when removable media is mounted.