Skip to content

T1092 Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Item Value
ID T1092
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 31 May 2017
Last Modified 14 July 2020

Procedure Examples

ID Name Description
G0007 APT28 APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.3
S0023 CHOPSTICK Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.543
S0136 USBStealer USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.6


ID Mitigation Description
M1042 Disable or Remove Feature or Program Disable Autoruns if it is unnecessary.2
M1028 Operating System Configuration Disallow or restrict removable media at an organizational policy level if they are not required for business operations.1


ID Data Source Data Component
DS0016 Drive Drive Access