Detect Replication Through Removable Media in Microsoft Sentinel
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. This technique serves dual purposes: Initial Access (introducing malware into isolated or air-gapped environments) and Lateral Movement (propagating between networked systems via USB). Common implementations include creating autorun.inf files that auto-execute malware on media insertion, copying malicious executables to the drive root disguised as legitimate files, and creating LNK shortcut files that silently execute hidden payloads. Notable threat actors include Stuxnet (targeting air-gapped ICS/SCADA networks via CVE-2010-2568 LNK vulnerability), Flame (modular USB infection framework), Gamaredon Group (LNK files on all removable and network drives via UserAssist persistence), Mustang Panda and APT30 (customized PlugX USB variants), Raspberry Robin (worm spread via infected USB media), HIUPAN (periodic drive polling for propagation), and Aoqin Dragon (removable device dropper for breaching secure network environments).
MITRE ATT&CK
- Tactic
- Lateral Movement Initial Access
- Canonical reference
- https://attack.mitre.org/techniques/T1091/
KQL Detection Query
let NonSystemDrivePattern = @"(?i)^[d-z]:\\";
let DriveRootPattern = @"(?i)^[d-z]:\\$";
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".cmd", ".vbs", ".js", ".lnk", ".hta", ".ps1", ".scr", ".pif", ".com"]);
// Signal 1: autorun.inf creation on non-system drive — classic USB worm indicator (Stuxnet, Agent.btz, Flame)
let AutorunInfSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "autorun.inf"
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| extend Signal = "AutorunInfCreated", SignalSeverity = "High", RiskScore = 90;
// Signal 2: Executable or script written to root of non-system drive (PlugX, HIUPAN, DustySky pattern)
let ExecAtDriveRootSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex DriveRootPattern
| where FileName has_any (SuspiciousExtensions)
| where not(FolderPath startswith @"\\\\")
| extend Signal = "ExecutableAtDriveRoot", SignalSeverity = "High", RiskScore = 85;
// Signal 3: Executable written to non-system drive by unexpected initiating process
let ExecOnRemovableSignal = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName !in~ ("explorer.exe", "robocopy.exe", "xcopy.exe",
"msiexec.exe", "setup.exe", "install.exe", "installer.exe")
| extend Signal = "SuspiciousExecOnRemovableMedia", SignalSeverity = "Medium", RiskScore = 65;
// Signal 4: Process launched directly FROM non-system drive (Raspberry Robin, Aoqin Dragon pattern)
let ProcFromRemovableSignal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath matches regex NonSystemDrivePattern
| where not(FolderPath startswith @"\\\\")
| extend Signal = "ProcessLaunchedFromRemovableMedia", SignalSeverity = "High", RiskScore = 88;
union AutorunInfSignal, ExecAtDriveRootSignal, ExecOnRemovableSignal, ProcFromRemovableSignal
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
Signal, SignalSeverity, RiskScore,
InitiatingProcessFileName, InitiatingProcessCommandLine,
SHA256
| sort by RiskScore desc, Timestamp descMulti-signal detection for T1091 Replication Through Removable Media using Microsoft Defender for Endpoint DeviceFileEvents and DeviceProcessEvents tables. Monitors four high-fidelity indicators: (1) autorun.inf creation on non-system drives — the classic worm propagation mechanism used by Stuxnet, Agent.btz, and Flame with essentially no legitimate modern use; (2) executables written to the root directory of non-system drives — preferred placement for disguised USB malware; (3) executables written anywhere on non-system drives by unexpected initiating processes, excluding common legitimate file-copy utilities; and (4) process execution originating directly from non-system drive paths. Uses regex matching against drive letter patterns to identify non-C: drive activity while excluding UNC network share paths. Risk scores enable analyst triage prioritization across signal types.
Data Sources
Required Tables
False Positives & Tuning
- Software installations from USB drives — legitimate setup.exe or msiexec.exe processes writing executable files to D: or E: drives during product installation or portable app setup
- Backup software (Acronis, Veeam, Windows Backup, robocopy scripts) writing backup archives or system images containing executables to external USB hard drives on scheduled backup paths
- IT administrators manually copying diagnostic tools, deployment packages, or OS installers to removable media for endpoint remediation or imaging tasks
- Portable application suites (PortableApps.com platform, U3 smart drive) that legitimately store and execute full application stacks from USB drives by design
- Multi-drive workstations where D:, E:, or other letters refer to secondary fixed internal drives (NVMe, SSD, HDD) rather than removable media — tuning against known fixed drive letters in your environment is required
- Developer workflows using large external drives to store build toolchains, compilers, or VM images accessed directly from non-C: drive paths
Other platforms for T1091
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create autorun.inf on Non-System Drive
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\autorun.inf, Image=cmd.exe. DeviceFileEvents in MDE: FileName=autorun.inf, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.
- Test 2Copy Executable to Removable Drive Root (PlugX/HIUPAN Pattern)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\system_update.exe, Image=cmd.exe, MD5 matches cmd.exe hash. DeviceFileEvents in MDE: FileName=system_update.exe, FolderPath=D:\, ActionType=FileCreated, SHA256 matches cmd.exe.
- Test 3Create Malicious LNK Shortcut on Removable Drive (Gamaredon Technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\Documents.lnk, Image=powershell.exe. DeviceFileEvents in MDE: FileName=Documents.lnk, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. WindowStyle=7 (minimized/hidden window) indicates deliberate concealment.
- Test 4Execute Process Directly from Removable Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=D:\usb_payload.exe, CommandLine=D:\usb_payload.exe /C whoami, ParentImage=cmd.exe. DeviceProcessEvents in MDE: FileName=usb_payload.exe, FolderPath=D:\, ProcessCommandLine contains 'whoami'. Preceded by Sysmon Event ID 11 for the file copy.
- Test 5Enumerate Removable Drives via WMI (USB Worm Reconnaissance)
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine contains 'Win32_LogicalDisk' and 'DriveType'. DeviceProcessEvents in MDE: FileName=powershell.exe, ProcessCommandLine contains WMI query. WMI Activity log (Microsoft-Windows-WMI-Activity/Operational Event ID 5857/5858) may record the Win32_LogicalDisk query.
References (10)
- https://attack.mitre.org/techniques/T1091/
- https://securelist.com/the-flame-malware/73765/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-usb-threat-ukraine
- https://www.threatexpert.com/report.aspx?md5=4c48f0dc5c55e26d5b68dfafe2e54b31
- https://www.trendmicro.com/en_us/research/22/f/raspberry-robin-worming-its-way-through-networks.html
- https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/control-usb-devices-using-intune
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
Unlock Pro Content
Get the full detection package for T1091 including response playbook, investigation guide, and atomic red team tests.