T1091 Google Chronicle · YARA-L

Detect Replication Through Removable Media in Google Chronicle

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. This technique serves dual purposes: Initial Access (introducing malware into isolated or air-gapped environments) and Lateral Movement (propagating between networked systems via USB). Common implementations include creating autorun.inf files that auto-execute malware on media insertion, copying malicious executables to the drive root disguised as legitimate files, and creating LNK shortcut files that silently execute hidden payloads. Notable threat actors include Stuxnet (targeting air-gapped ICS/SCADA networks via CVE-2010-2568 LNK vulnerability), Flame (modular USB infection framework), Gamaredon Group (LNK files on all removable and network drives via UserAssist persistence), Mustang Panda and APT30 (customized PlugX USB variants), Raspberry Robin (worm spread via infected USB media), HIUPAN (periodic drive polling for propagation), and Aoqin Dragon (removable device dropper for breaching secure network environments).

MITRE ATT&CK

Tactic
Lateral Movement Initial Access
Technique
T1091 Replication Through Removable Media
Canonical reference
https://attack.mitre.org/techniques/T1091/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1091_replication_through_removable_media {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects replication through removable media (T1091) via autorun.inf creation, executables at drive roots, suspicious files on non-system drives, and processes launched from removable media."
    mitre_attack_tactic = "Lateral Movement, Initial Access"
    mitre_attack_technique = "T1091"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"
    references = "https://attack.mitre.org/techniques/T1091/"

  events:
    (
      /* Signal 1: autorun.inf creation on non-system drive */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and re.regex($e.target.file.full_path, `(?i)autorun\.inf$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
      )
      or
      /* Signal 2: Executable at root of non-system drive */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\[^\\]+\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
      )
      or
      /* Signal 3: Executable on removable media by unexpected initiating process */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$`)
        and not re.regex($e.target.file.full_path, `^\\\\`)
        and not re.regex($e.principal.process.file.full_path, `(?i)(explorer|robocopy|xcopy|msiexec|setup|install|installer)\.exe$`)
      )
      or
      /* Signal 4: Process launched directly from non-system drive */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)^[D-Zd-z]:\\`)
        and not re.regex($e.target.process.file.full_path, `^\\\\`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1091 replication through removable media. Covers all four attack signals in a single rule: autorun.inf drops (Stuxnet/Flame pattern), drive-root executables (PlugX/HIUPAN pattern), unexpected process writing executables to removable drives, and process execution originating from non-system drive letters (Raspberry Robin/Aoqin Dragon pattern).

Data Sources

Google Chronicle SIEMWindows endpoint telemetry forwarded to ChronicleSysmon events via Chronicle ingestion

Required Tables

UDM events with FILE_CREATION and PROCESS_LAUNCH event types

False Positives & Tuning

  • System administrators using bootable USB drives with Windows PE or Linux live distributions that contain executable content at the drive root
  • Security teams deploying portable scanning or remediation tools to external drives for use on isolated endpoint segments
  • Legitimate removable media backup solutions that copy recovery executables and scripts to USB drives for DR purposes
Download portable Sigma rule (.yml)

Other platforms for T1091

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create autorun.inf on Non-System Drive

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\autorun.inf, Image=cmd.exe. DeviceFileEvents in MDE: FileName=autorun.inf, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.

  2. Test 2Copy Executable to Removable Drive Root (PlugX/HIUPAN Pattern)

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\system_update.exe, Image=cmd.exe, MD5 matches cmd.exe hash. DeviceFileEvents in MDE: FileName=system_update.exe, FolderPath=D:\, ActionType=FileCreated, SHA256 matches cmd.exe.

  3. Test 3Create Malicious LNK Shortcut on Removable Drive (Gamaredon Technique)

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\Documents.lnk, Image=powershell.exe. DeviceFileEvents in MDE: FileName=Documents.lnk, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. WindowStyle=7 (minimized/hidden window) indicates deliberate concealment.

  4. Test 4Execute Process Directly from Removable Drive

    Expected signal: Sysmon Event ID 1 (Process Create): Image=D:\usb_payload.exe, CommandLine=D:\usb_payload.exe /C whoami, ParentImage=cmd.exe. DeviceProcessEvents in MDE: FileName=usb_payload.exe, FolderPath=D:\, ProcessCommandLine contains 'whoami'. Preceded by Sysmon Event ID 11 for the file copy.

  5. Test 5Enumerate Removable Drives via WMI (USB Worm Reconnaissance)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine contains 'Win32_LogicalDisk' and 'DriveType'. DeviceProcessEvents in MDE: FileName=powershell.exe, ProcessCommandLine contains WMI query. WMI Activity log (Microsoft-Windows-WMI-Activity/Operational Event ID 5857/5858) may record the Win32_LogicalDisk query.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1091 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1080Taint Shared ContentT1052.001Exfiltration over USBT1204.002Malicious FileT1547.001Registry Run Keys / Startup FolderT1036.005Match Legitimate Resource Name or LocationT1574.001DLLT1070.004File DeletionT1543.003Windows ServiceT1082System Information DiscoveryT1120Peripheral Device Discovery

Same Tactic: Lateral Movement

Popular Detections