T1091

Replication Through Removable Media

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. This technique serves dual purposes: Initial Access (introducing malware into isolated or air-gapped environments) and Lateral Movement (propagating between networked systems via USB). Common implementations include creating autorun.inf files that auto-execute malware on media insertion, copying malicious executables to the drive root disguised as legitimate files, and creating LNK shortcut files that silently execute hidden payloads. Notable threat actors include Stuxnet (targeting air-gapped ICS/SCADA networks via CVE-2010-2568 LNK vulnerability), Flame (modular USB infection framework), Gamaredon Group (LNK files on all removable and network drives via UserAssist persistence), Mustang Panda and APT30 (customized PlugX USB variants), Raspberry Robin (worm spread via infected USB media), HIUPAN (periodic drive polling for propagation), and Aoqin Dragon (removable device dropper for breaching secure network environments).

Microsoft Sentinel / Defender

kusto

let NonSystemDrivePattern = @"(?i)^[d-z]:\\";
let DriveRootPattern = @"(?i)^[d-z]:\\$";
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".cmd", ".vbs", ".js", ".lnk", ".hta", ".ps1", ".scr", ".pif", ".com"]);
// Signal 1: autorun.inf creation on non-system drive — classic USB worm indicator (Stuxnet, Agent.btz, Flame)
let AutorunInfSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "autorun.inf"
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| extend Signal = "AutorunInfCreated", SignalSeverity = "High", RiskScore = 90;
// Signal 2: Executable or script written to root of non-system drive (PlugX, HIUPAN, DustySky pattern)
let ExecAtDriveRootSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex DriveRootPattern
| where FileName has_any (SuspiciousExtensions)
| where not(FolderPath startswith @"\\\\")
| extend Signal = "ExecutableAtDriveRoot", SignalSeverity = "High", RiskScore = 85;
// Signal 3: Executable written to non-system drive by unexpected initiating process
let ExecOnRemovableSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName !in~ ("explorer.exe", "robocopy.exe", "xcopy.exe",
    "msiexec.exe", "setup.exe", "install.exe", "installer.exe")
| extend Signal = "SuspiciousExecOnRemovableMedia", SignalSeverity = "Medium", RiskScore = 65;
// Signal 4: Process launched directly FROM non-system drive (Raspberry Robin, Aoqin Dragon pattern)
let ProcFromRemovableSignal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| extend Signal = "ProcessLaunchedFromRemovableMedia", SignalSeverity = "High", RiskScore = 88;
union AutorunInfSignal, ExecAtDriveRootSignal, ExecOnRemovableSignal, ProcFromRemovableSignal
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          Signal, SignalSeverity, RiskScore,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SHA256
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Software installations from USB drives — legitimate setup.exe or msiexec.exe processes writing executable files to D: or E: drives during product installation or portable app setup
Backup software (Acronis, Veeam, Windows Backup, robocopy scripts) writing backup archives or system images containing executables to external USB hard drives on scheduled backup paths
IT administrators manually copying diagnostic tools, deployment packages, or OS installers to removable media for endpoint remediation or imaging tasks
Portable application suites (PortableApps.com platform, U3 smart drive) that legitimately store and execute full application stacks from USB drives by design
Multi-drive workstations where D:, E:, or other letters refer to secondary fixed internal drives (NVMe, SSD, HDD) rather than removable media — tuning against known fixed drive letters in your environment is required
Developer workflows using large external drives to store build toolchains, compilers, or VM images accessed directly from non-C: drive paths

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval target_path=case(EventCode="11", TargetFilename, EventCode="1", Image, true(), null())
| where isnotnull(target_path)
| eval drive_letter=upper(substr(target_path, 1, 1))
| where drive_letter!="C"
| where match(target_path, "(?i)^[A-Z]:\\\\")
| eval is_autorun=if(match(lower(target_path), "autorun\\.inf$"), 1, 0)
| eval is_executable=if(match(lower(target_path), "\\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$"), 1, 0)
| eval path_depth=len(target_path) - len(replace(target_path, "\\\\", ""))
| eval is_root_level=if(path_depth <= 2, 1, 0)
| eval signal=case(
    EventCode="11" AND is_autorun=1, "AutorunInfCreated",
    EventCode="11" AND is_executable=1 AND is_root_level=1, "ExecutableAtDriveRoot",
    EventCode="11" AND is_executable=1, "ExecutableOnRemovableMedia",
    EventCode="1", "ProcessFromRemovableMedia",
    true(), null()
)
| where isnotnull(signal)
| eval risk_score=case(
    signal="AutorunInfCreated", 90,
    signal="ProcessFromRemovableMedia", 88,
    signal="ExecutableAtDriveRoot", 85,
    signal="ExecutableOnRemovableMedia", 65,
    true(), 50
)
| table _time, host, User, EventCode, signal, risk_score, target_path, drive_letter,
        is_autorun, is_executable, is_root_level, ParentImage, ParentCommandLine
| sort - risk_score - _time

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installations from USB drives — legitimate installers (msiexec.exe, setup.exe) writing executables to non-C: drive paths during product installation
Backup software writing executable content as part of full system backups to external USB hard drives on configured backup schedules
IT administrators manually copying tools or OS deployment packages to removable media for endpoint remediation tasks
Portable application suites (PortableApps, U3 platform) that legitimately run executables directly from USB drive paths
Multi-drive workstations with secondary internal drives assigned D:, E:, or higher drive letters — requires environment-specific tuning to exclude known fixed drive paths
Media production or development workflows using large external drives to store executables or toolchains accessed from non-C: paths

Elastic Security (EQL)

eql

any where
  (
    /* Signal 1: autorun.inf creation on non-system drive */
    (event.category == "file" and event.action in ("creation", "change") and
     file.name : "autorun.inf" and
     file.path : ("[D-Zd-z]:\\*") and
     not file.path : "\\\\*")
    or
    /* Signal 2: Executable at root of non-system drive */
    (event.category == "file" and event.action in ("creation", "change") and
     file.extension : ("exe", "dll", "bat", "cmd", "vbs", "js", "lnk", "hta", "ps1", "scr", "pif", "com") and
     file.path : ("[D-Zd-z]:\\*") and
     not file.path : ("[D-Zd-z]:\\*\\*") and
     not file.path : "\\\\*")
    or
    /* Signal 3: Executable written to removable media by unexpected process */
    (event.category == "file" and event.action in ("creation", "change") and
     file.extension : ("exe", "dll", "bat", "cmd", "vbs", "js", "lnk", "hta", "ps1", "scr", "pif", "com") and
     file.path : ("[D-Zd-z]:\\*") and
     not file.path : "\\\\*" and
     not process.name : ("explorer.exe", "robocopy.exe", "xcopy.exe", "msiexec.exe", "setup.exe", "install.exe", "installer.exe"))
    or
    /* Signal 4: Process launched directly from non-system drive */
    (event.category == "process" and event.type == "start" and
     process.executable : ("[D-Zd-z]:\\*") and
     not process.executable : "\\\\*")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate software installers or update packages written to USB drives by IT staff for deployment to isolated systems
Backup agents (e.g., Acronis, Veeam) copying executable images to external drives as part of scheduled backup jobs
Portable application launchers (PortableApps.com suite) that legitimately execute applications from non-system drives and may place LNK files at drive roots

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "filepath" AS target_path,
  filename,
  CASE
    WHEN LOWER(filename) = 'autorun.inf' THEN 'AutorunInfCreated'
    WHEN REGEXP(LOWER(filename), '\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$')
         AND REGEXP("filepath", '^[D-Zd-z]:\\\\[^\\\\]+$') THEN 'ExecutableAtDriveRoot'
    WHEN REGEXP(LOWER(filename), '\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$')
         AND REGEXP("filepath", '^[D-Zd-z]:\\\\') THEN 'ExecutableOnRemovableMedia'
    WHEN categoryname(category) = 'Process' AND REGEXP("filepath", '^[D-Zd-z]:\\\\') THEN 'ProcessFromRemovableMedia'
    ELSE 'Unknown'
  END AS signal,
  CASE
    WHEN LOWER(filename) = 'autorun.inf' THEN 90
    WHEN categoryname(category) = 'Process' AND REGEXP("filepath", '^[D-Zd-z]:\\\\') THEN 88
    WHEN REGEXP(LOWER(filename), '\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$')
         AND REGEXP("filepath", '^[D-Zd-z]:\\\\[^\\\\]+$') THEN 85
    ELSE 65
  END AS risk_score,
  "process" AS initiating_process,
  "commandlinearguments" AS command_line,
  CATEGORYNAME(category) AS event_category,
  magnitude
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 253)
  AND (
    (LOWER(filename) = 'autorun.inf' AND REGEXP("filepath", '^[D-Zd-z]:\\\\'))
    OR (REGEXP(LOWER(filename), '\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$')
        AND REGEXP("filepath", '^[D-Zd-z]:\\\\') AND NOT REGEXP("filepath", '^\\\\\\\\'))
    OR (CATEGORYNAME(category) IN ('Process') AND REGEXP("filepath", '^[D-Zd-z]:\\\\') AND NOT REGEXP("filepath", '^\\\\\\\\'))
  )
  AND NOT REGEXP("filepath", '^\\\\\\\\'))
ORDER BY risk_score DESC, devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar DSM Windows Security Events via QRadar DSM

Required Tables

events

False Positives

IT provisioning tools that distribute software packages to USB drives for offline installation to air-gapped systems
Endpoint backup solutions that write disk images or executable recovery tools to external storage devices
Developers running portable development environments or Docker Desktop for Windows from external NVMe drives

Sumo Logic CSE

sql

(_sourceCategory="Windows/Sysmon" OR _sourceCategory="WinEventLog/Security")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as image_path nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='ParentCommandLine'>*</Data>" as parent_cmdline nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where event_id in ("1", "11")
| eval target_path = if(event_id == "11", target_filename, image_path)
| where !isNull(target_path) AND target_path != ""
| where matches(target_path, "(?i)^[D-Zd-z]:\\\\")
| where !matches(target_path, "(?i)^\\\\\\\\")
| eval drive_letter = toUpperCase(substring(target_path, 1, 1))
| where drive_letter != "C"
| eval is_autorun = if(matches(toLowerCase(target_path), "autorun\\.inf$"), 1, 0)
| eval is_executable = if(matches(toLowerCase(target_path), "\\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$"), 1, 0)
| eval backslash_count = length(target_path) - length(replaceAll(target_path, "\\\\", ""))
| eval is_root_level = if(backslash_count <= 2, 1, 0)
| eval signal = if(event_id == "11" AND is_autorun == 1, "AutorunInfCreated",
    if(event_id == "11" AND is_executable == 1 AND is_root_level == 1, "ExecutableAtDriveRoot",
    if(event_id == "11" AND is_executable == 1, "ExecutableOnRemovableMedia",
    if(event_id == "1", "ProcessFromRemovableMedia", null))))
| where !isNull(signal)
| eval risk_score = if(signal == "AutorunInfCreated", 90,
    if(signal == "ProcessFromRemovableMedia", 88,
    if(signal == "ExecutableAtDriveRoot", 85,
    if(signal == "ExecutableOnRemovableMedia", 65, 50))))
| fields _messageTime, computer, user, event_id, signal, risk_score, target_path, drive_letter,
    is_autorun, is_executable, is_root_level, parent_image, parent_cmdline
| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon logs via Sumo Logic collector Windows Security logs via Sumo Logic collector

Required Tables

Windows Sysmon source category WinEventLog Security source category

False Positives

Software distribution teams using USB drives to deliver update packages to factory floor or OT systems without network connectivity
Forensics examiners running triage tools (e.g., KAPE, IRTriage) from external drives during incident response engagements
Legitimate PortableApps installations where users intentionally run applications from USB drives

Google Chronicle / SecOps

yaral

rule t1091_replication_through_removable_media {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects replication through removable media (T1091) via autorun.inf creation, executables at drive roots, suspicious files on non-system drives, and processes launched from removable media."
    mitre_attack_tactic = "Lateral Movement, Initial Access"
    mitre_attack_technique = "T1091"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"
    references = "https://attack.mitre.org/techniques/T1091/"

  events:
    (
      /* Signal 1: autorun.inf creation on non-system drive */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and re.regex($e.target.file.full_path, `(?i)autorun\.inf$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
      )
      or
      /* Signal 2: Executable at root of non-system drive */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\[^\\]+\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
      )
      or
      /* Signal 3: Executable on removable media by unexpected initiating process */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
        and not re.regex($e.principal.process.file.full_path, `(?i)(explorer|robocopy|xcopy|msiexec|setup|install|installer)\.exe$`)
      )
      or
      /* Signal 4: Process launched directly from non-system drive */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and not re.regex($e.target.process.file.full_path, `^\\\\`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows endpoint telemetry forwarded to Chronicle Sysmon events via Chronicle ingestion

Required Tables

UDM events with FILE_CREATION and PROCESS_LAUNCH event types

False Positives

System administrators using bootable USB drives with Windows PE or Linux live distributions that contain executable content at the drive root
Security teams deploying portable scanning or remediation tools to external drives for use on isolated endpoint segments
Legitimate removable media backup solutions that copy recovery executables and scripts to USB drives for DR purposes

CrowdStrike LogScale (CQL)

cql

// T1091 — Replication Through Removable Media
// Signal 1: autorun.inf creation on non-system drive (Stuxnet/Flame/Agent.btz pattern)
#repo=base_sensor #event_simpleName=FileOpenInfo
| TargetFileName = /(?i)autorun\.inf$/
| TargetFileName != /^[Cc]:\\/
| TargetFileName != /^\\\\/
| case {
    TargetFileName = /(?i)autorun\.inf$/ | Signal := "AutorunInfCreated"; RiskScore := 90
  }
| table([_timstamp, ComputerName, UserName, TargetFileName, Signal, RiskScore, ParentBaseFileName, CommandHistory])

// Union Signal 2 + 3: Executables written to removable drives
| union {
  #repo=base_sensor #event_simpleName=FileOpenInfo
  | TargetFileName = /(?i)\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$/
  | TargetFileName = /^[D-Zd-z]:\\/
  | TargetFileName != /^\\\\/
  | eval drive_root = if(match(TargetFileName, /^[D-Zd-z]:\\[^\\]+\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$/i), "true", "false")
  | case {
      drive_root = "true" | Signal := "ExecutableAtDriveRoot"; RiskScore := 85 ;
      * | Signal := "ExecutableOnRemovableMedia"; RiskScore := 65
    }
  | table([_timstamp, ComputerName, UserName, TargetFileName, Signal, RiskScore, ParentBaseFileName, CommandHistory])
}

// Union Signal 4: Process launched from non-system drive (Raspberry Robin/Aoqin Dragon)
| union {
  #repo=base_sensor #event_simpleName=ProcessRollup2
  | ImageFileName = /^[D-Zd-z]:\\/
  | ImageFileName != /^\\\\/
  | Signal := "ProcessFromRemovableMedia"
  | RiskScore := 88
  | table([_timstamp, ComputerName, UserName, ImageFileName, Signal, RiskScore, ParentBaseFileName, CommandLine])
}

| sort(RiskScore, order=desc)
| sort(_timstamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor process and file telemetry CrowdStrike LogScale SIEM

Required Tables

base_sensor repository FileOpenInfo events ProcessRollup2 events

False Positives

IT technicians using USB-based deployment kits that include installer executables and batch scripts at the drive root for imaging workstations
Industrial control system (ICS/SCADA) environments where engineers routinely transfer firmware update binaries to removable drives for air-gapped system updates
Penetration testers with legitimate engagements who are deliberately testing removable media controls as part of authorized red team assessments

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1091 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Replication Through Removable Media

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections