EXPLORE

← Back to Explore

T1091

Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this m...

Windows

8

Detections

3

Sources

8

Threat Actors

BY SOURCE

4splunk_escu3elastic1sigma

PROCEDURES (6)

Registry3 detections

Auto-extracted: 3 detections for registry

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (8)

Aoqin Dragon APT28 Darkhotel FIN7 Gamaredon Group LuminousMoth Mustang Panda Tropic Trooper

DETECTIONS (8)

Execution from a Removable Media with Network Connection

External Disk Drive Or USB Storage Device Was Recognized By The System

First Time Seen Removable Device

New USB Storage Device Mounted

Windows Process Executed From Removable Media

Windows Replication Through Removable Media

Windows USBSTOR Registry Key Modification

Windows WPDBusEnum Registry Key Modification