Detect Replication Through Removable Media in Sumo Logic CSE
Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. This technique serves dual purposes: Initial Access (introducing malware into isolated or air-gapped environments) and Lateral Movement (propagating between networked systems via USB). Common implementations include creating autorun.inf files that auto-execute malware on media insertion, copying malicious executables to the drive root disguised as legitimate files, and creating LNK shortcut files that silently execute hidden payloads. Notable threat actors include Stuxnet (targeting air-gapped ICS/SCADA networks via CVE-2010-2568 LNK vulnerability), Flame (modular USB infection framework), Gamaredon Group (LNK files on all removable and network drives via UserAssist persistence), Mustang Panda and APT30 (customized PlugX USB variants), Raspberry Robin (worm spread via infected USB media), HIUPAN (periodic drive polling for propagation), and Aoqin Dragon (removable device dropper for breaching secure network environments).
MITRE ATT&CK
- Tactic
- Lateral Movement Initial Access
- Canonical reference
- https://attack.mitre.org/techniques/T1091/
Sumo Detection Query
(_sourceCategory="Windows/Sysmon" OR _sourceCategory="WinEventLog/Security")
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as image_path nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse field=_raw "<Data Name='ParentCommandLine'>*</Data>" as parent_cmdline nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where event_id in ("1", "11")
| eval target_path = if(event_id == "11", target_filename, image_path)
| where !isNull(target_path) AND target_path != ""
| where matches(target_path, "(?i)^[D-Zd-z]:\\\\")
| where !matches(target_path, "(?i)^\\\\\\\\")
| eval drive_letter = toUpperCase(substring(target_path, 1, 1))
| where drive_letter != "C"
| eval is_autorun = if(matches(toLowerCase(target_path), "autorun\\.inf$"), 1, 0)
| eval is_executable = if(matches(toLowerCase(target_path), "\\.(exe|dll|bat|cmd|vbs|js|lnk|hta|ps1|scr|pif|com)$"), 1, 0)
| eval backslash_count = length(target_path) - length(replaceAll(target_path, "\\\\", ""))
| eval is_root_level = if(backslash_count <= 2, 1, 0)
| eval signal = if(event_id == "11" AND is_autorun == 1, "AutorunInfCreated",
if(event_id == "11" AND is_executable == 1 AND is_root_level == 1, "ExecutableAtDriveRoot",
if(event_id == "11" AND is_executable == 1, "ExecutableOnRemovableMedia",
if(event_id == "1", "ProcessFromRemovableMedia", null))))
| where !isNull(signal)
| eval risk_score = if(signal == "AutorunInfCreated", 90,
if(signal == "ProcessFromRemovableMedia", 88,
if(signal == "ExecutableAtDriveRoot", 85,
if(signal == "ExecutableOnRemovableMedia", 65, 50))))
| fields _messageTime, computer, user, event_id, signal, risk_score, target_path, drive_letter,
is_autorun, is_executable, is_root_level, parent_image, parent_cmdline
| sort by risk_score desc, _messageTime descSumo Logic query for detecting T1091 removable media replication using Sysmon EventCode 1 (Process Create) and EventCode 11 (File Create) events. Identifies all four threat signals: autorun.inf creation, executables at drive roots, suspicious files on removable drives, and processes launched from non-system drives.
Data Sources
Required Tables
False Positives & Tuning
- Software distribution teams using USB drives to deliver update packages to factory floor or OT systems without network connectivity
- Forensics examiners running triage tools (e.g., KAPE, IRTriage) from external drives during incident response engagements
- Legitimate PortableApps installations where users intentionally run applications from USB drives
Other platforms for T1091
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create autorun.inf on Non-System Drive
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\autorun.inf, Image=cmd.exe. DeviceFileEvents in MDE: FileName=autorun.inf, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.
- Test 2Copy Executable to Removable Drive Root (PlugX/HIUPAN Pattern)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\system_update.exe, Image=cmd.exe, MD5 matches cmd.exe hash. DeviceFileEvents in MDE: FileName=system_update.exe, FolderPath=D:\, ActionType=FileCreated, SHA256 matches cmd.exe.
- Test 3Create Malicious LNK Shortcut on Removable Drive (Gamaredon Technique)
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=D:\Documents.lnk, Image=powershell.exe. DeviceFileEvents in MDE: FileName=Documents.lnk, FolderPath=D:\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. WindowStyle=7 (minimized/hidden window) indicates deliberate concealment.
- Test 4Execute Process Directly from Removable Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=D:\usb_payload.exe, CommandLine=D:\usb_payload.exe /C whoami, ParentImage=cmd.exe. DeviceProcessEvents in MDE: FileName=usb_payload.exe, FolderPath=D:\, ProcessCommandLine contains 'whoami'. Preceded by Sysmon Event ID 11 for the file copy.
- Test 5Enumerate Removable Drives via WMI (USB Worm Reconnaissance)
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine contains 'Win32_LogicalDisk' and 'DriveType'. DeviceProcessEvents in MDE: FileName=powershell.exe, ProcessCommandLine contains WMI query. WMI Activity log (Microsoft-Windows-WMI-Activity/Operational Event ID 5857/5858) may record the Win32_LogicalDisk query.
References (10)
- https://attack.mitre.org/techniques/T1091/
- https://securelist.com/the-flame-malware/73765/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-usb-threat-ukraine
- https://www.threatexpert.com/report.aspx?md5=4c48f0dc5c55e26d5b68dfafe2e54b31
- https://www.trendmicro.com/en_us/research/22/f/raspberry-robin-worming-its-way-through-networks.html
- https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/control-usb-devices-using-intune
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
Unlock Pro Content
Get the full detection package for T1091 including response playbook, investigation guide, and atomic red team tests.