T1092 - Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Monitor file access on removable media. Detect processes that execute when removable media is mounted.

Shield Active Defense

Peripheral Management

Manage peripheral devices used on systems within the network for active defense purposes.

Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts.

Opportunity

There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.

Use Case

A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.

Procedures

Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device. Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools.