Disseminate removable media

Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. [1] [2] [3]

ID: T1379
Sub-techniques:  No sub-techniques
Tactic: Stage Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.


  1. Sean Carroll. (2010, November 4). USB Malware Attacks On the Rise. Retrieved March 9, 2017.
  2. William J. Lynn III. (2010, September). Defending a New Domain. Retrieved March 9, 2017.
  1. Emil Protalinski. (2012, July 11). Criminals push malware by 'losing' USB sticks in parking lots. Retrieved March 9, 2017.