# T1091 Replication Through Removable Media

-----------------------------------------------------------------------

## Technique Description

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

## Technique Detection

Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

-----------------------------------------------------------------------

### Tactics:

  * Lateral-Movement

  * Initial-Access

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

### System Requirements:

  * Removable media allowed, Autorun enabled or vulnerability present that allows for code execution

### Data Sources:

  * **File:** File Creation

  * **Process:** Process Creation

  * **Drive:** Drive Creation

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used a customized [PlugX](https://attack.mitre.org/software/S0013) variant which could spread through USB connections.(Citation: Avira Mustang Panda January 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has attempted to transfer [USBferry](https://attack.mitre.org/software/S0452) from an infected USB device by copying an Autorun function to the target machine.(Citation: TrendMicro Tropic Trooper May 2020)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.(Citation: FBI Flash FIN7 USB)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012)'s selective infector modifies executables stored on removable media as a method of spreading across computers.(Citation: Kaspersky Darkhotel)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.(Citation: Microsoft SIR Vol 19)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1091)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Malicious actors will try to get backdoors to propagate to air-gapped systems and networks.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT28 
- uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.
- “CHOPSTICK” Modular backdoors that have the capability to copy itself to USB drives to target air-gapped systems

## Detection Blindspots

- Information Here

## Analytical References

  * [Mitre Attck Replication Through Removable Media (infosecinstitute)](https://resources.infosecinstitute.com/topic/mitre-attck-replication-through-removable-media/)
  * [Sednit Espionage Group Attacking Air-Gapped Networks 2014 (welivesecurity)](https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/)
  * [Monitor the use of Removable Storage Devices (microsoft)](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices)
  * [Reg-Query (microsoft)](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-query)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

1. Any removable device active should be considered suspicious if there is NO external media policy in place.
2. Legitimate uses of USBs ect should be verified with MP. Elimination of legitimate work activity can be difficult; you can try to work with the MP to identify legitimate reasons for USB actions vs share drives.
3. At this point, remaining instances should be investigated more thoroughly. Consider the following:
    - What is being downloaded/Uploaded?
    - Where is it downloading to?
    - Why is the content being downloaded/uploaded?
    - Is there anomalous call outs, functions, ect?
    - Has the subject user account performed both similar AND related tasks?
    - And do those tasks fit with the expected work functions of that user?
- Event codes that may be of interest [4663, 4688, 1]

- If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.
- If removable media is not allowed, then any event id that is generated for them is highly suspicious. Work with MP to determine this.

#### Analytic 1

  * **Information:** Monitor file access on removable media.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** N/A

  * **Query:** ```event_id:4663 AND "removable storage"```

#### Analytic 2

  * **Information:** Detect processes that execute from removable media after it is mounted or when initiated by a user.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Coordination with MP is needed to determine the standard drive that they use

  * **Query:** ```event_id:4688 AND NOT new.process.name:<normal drive>:*```




-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------