Which SIEM platforms have a T1092 detection rule?

df00tech provides T1092 (Communication Through Removable Media) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1092 detection?

The T1092 detection is rated high severity with medium confidence.

What are common false positives for T1092?

Common false positives for T1092 include: Software developers or IT staff who legitimately copy scripts or executables to USB drives for deployment on offline systems; Legitimate backup solutions that write encrypted backup archives to removable storage; Point-of-sale or industrial control system maintenance technicians who routinely deploy updates via USB in air-gapped environments.

T1092

Communication Through Removable Media

Q: What data sources are required to detect Communication Through Removable Media (T1092)?

Detecting Communication Through Removable Media requires the following data sources: Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation, Microsoft Defender for Endpoint.

Command and Control Last updated: April 13, 2026

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.

What is T1092 Communication Through Removable Media?

Communication Through Removable Media (T1092) maps to the Command and Control tactic — the adversary is trying to communicate with compromised systems to control them in MITRE ATT&CK.

This page provides production-ready detection logic for Communication Through Removable Media, covering the data sources and telemetry it touches: Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1092 Communication Through Removable Media
Canonical reference: https://attack.mitre.org/techniques/T1092/

Microsoft Sentinel / Defender

kusto

let RemovableDrivePaths = dynamic(["D:\\", "E:\\", "F:\\", "G:\\", "H:\\", "I:\\", "J:\\"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".cmd", ".ps1", ".vbs", ".js", ".hta", ".dat", ".bin"]);
let EncodedFilePatterns = dynamic([".enc", ".tmp", ".cfg", ".dat", ".bin", ".db"]);
// Branch 1: Executables or scripts written TO removable media
let ExecutablesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (SuspiciousExtensions)
| extend DetectionBranch = "ExecutableDroppedToUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 2: Processes EXECUTING from removable media (command execution on air-gapped side)
let ProcessFromUSB = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths) or ProcessCommandLine has_any (RemovableDrivePaths)
| where FileName !in~ ("setup.exe", "autorun.exe", "install.exe")
| extend DetectionBranch = "ProcessExecutedFromUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 3: Hidden or encoded data files written to USB (C2 data staging)
let DataFilesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (EncodedFilePatterns)
| where InitiatingProcessFileName !in~ ("explorer.exe", "robocopy.exe", "xcopy.exe", "backup.exe")
| extend DetectionBranch = "SuspiciousDataFileOnUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 4: USB device insertion followed by rapid file access (command pickup pattern)
let USBInsertionEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMounted"
| project DeviceName, MountTime=Timestamp;
let RapidUSBAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths)
| join kind=inner USBInsertionEvents on DeviceName
| where Timestamp between (MountTime .. (MountTime + 2m))
| where ActionType == "FileRead"
| extend DetectionBranch = "RapidFileReadAfterMount"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Union all branches
union ExecutablesOnUSB, ProcessFromUSB, DataFilesOnUSB, RapidUSBAccess
| sort by Timestamp desc

Multi-branch detection for USB-based C2 communication patterns. Branch 1 identifies executables or scripts written to removable media (command staging). Branch 2 detects processes executing directly from USB drives (command execution on air-gapped side). Branch 3 finds hidden or encoded data files written to USB (C2 response staging). Branch 4 correlates USB insertion events with rapid file reads within 2 minutes (automated command pickup). Together these branches model the full APT28/USBStealer lifecycle of dropping commands, executing them on air-gapped hosts, and exfiltrating results via the same media.

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Access File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents DeviceEvents

False Positives

Software developers or IT staff who legitimately copy scripts or executables to USB drives for deployment on offline systems
Legitimate backup solutions that write encrypted backup archives to removable storage
Point-of-sale or industrial control system maintenance technicians who routinely deploy updates via USB in air-gapped environments
Users copying portable applications (PortableApps, SumatraPDF, etc.) to USB drives for personal use
Forensic investigators and incident responders who collect evidence or run analysis tools from USB media

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 (CommandLine="D:\\*" OR CommandLine="E:\\*" OR CommandLine="F:\\*" OR CommandLine="G:\\*" OR CommandLine="H:\\*"))
  OR
  (EventCode=11 (TargetFilename="D:\\*" OR TargetFilename="E:\\*" OR TargetFilename="F:\\*" OR TargetFilename="G:\\*" OR TargetFilename="H:\\*"))
  OR
  (EventCode=6416)
)
| eval EventType=case(
    EventCode=1, "ProcessFromUSB",
    EventCode=11, "FileCreatedOnUSB",
    EventCode=6416, "USBDeviceConnected",
    true(), "Unknown"
  )
| eval FilePath=coalesce(TargetFilename, CommandLine, "")
| eval SuspiciousExtension=if(match(lower(FilePath), "\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$"), 1, 0)
| eval ExecutableOnUSB=if(EventCode=1 AND match(lower(CommandLine), "^[d-h]:\\\\"), 1, 0)
| eval DataFileOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(dat|bin|enc|tmp|cfg|db)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval ScriptOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(ps1|bat|cmd|vbs|js|hta|exe|dll)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval SuspicionScore=ExecutableOnUSB + DataFileOnUSB + ScriptOnUSB + SuspiciousExtension
| where SuspicionScore > 0 OR EventCode=6416
| eval ParentProcessName=coalesce(ParentImage, "N/A")
| table _time, host, User, EventType, EventCode, FilePath, Image, CommandLine, ParentImage, ParentCommandLine, ExecutableOnUSB, DataFileOnUSB, ScriptOnUSB, SuspicionScore
| sort - _time

Detects USB-based C2 communication using Sysmon and Windows Security events. Monitors Sysmon Event ID 1 (Process Creation) for processes spawned with USB drive paths in command lines, Event ID 11 (File Create) for executables and encoded data files written to removable drives, and Security Event ID 6416 for USB device connection events. Assigns a suspicion score across multiple indicators to prioritize high-fidelity alerts while surfacing all USB device events for correlation.

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Access File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 6416

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators deploying software or configurations to offline systems via USB
Legitimate data transfer workflows between segregated network segments that require removable media
Backup solutions writing encrypted archives to USB drives
Security researchers or forensic analysts running tools from USB media
Point-of-sale update procedures and industrial control system maintenance using USB media

Elastic Security (EQL)

eql

sequence by host.name with maxspan=2m
  [any where event.category == "driver" and action == "installed" and dll.name : ("usbstor*", "USBSTOR*")]
  [file where event.action in ("creation", "overwrite") and
   file.path : ("D:\\*", "E:\\*", "F:\\*", "G:\\*", "H:\\*", "I:\\*") and
   file.extension in~ ("exe", "dll", "bat", "cmd", "ps1", "vbs", "js", "hta", "dat", "bin", "enc", "tmp", "cfg", "db") and
   not process.name in~ ("explorer.exe", "robocopy.exe", "xcopy.exe")]

OR

sequence by host.name with maxspan=2m
  [any where event.category == "driver" and action == "installed" and dll.name : ("usbstor*")]
  [file where event.action == "access" and
   file.path : ("D:\\*", "E:\\*", "F:\\*", "G:\\*", "H:\\*")]

OR

process where event.type == "start" and
  process.executable : ("D:\\*", "E:\\*", "F:\\*", "G:\\*", "H:\\*", "I:\\*") and
  not process.name in~ ("setup.exe", "autorun.exe", "install.exe")

Detects T1092 Communication Through Removable Media by identifying three behavioral patterns: (1) USB device insertion followed within 2 minutes by suspicious file creation on the drive, (2) USB mount followed by rapid file reads (command pickup pattern), and (3) process execution directly from removable drive letters. Covers both the C2 staging side (writing encoded data files) and the execution side (running payloads from USB).

high severity medium confidence

Data Sources

Elastic Endpoint Windows Event Logs via Filebeat Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-endpoint.events.driver-* winlogbeat-*

False Positives

Legitimate software installations from USB drives by IT staff (e.g., deploying system images, BIOS updates via bootable USB)
Backup agents (e.g., Acronis, Veeam) writing backup archives to external USB drives as part of scheduled jobs
Portable application suites (PortableApps, U3) executing directly from USB — common in developer/sysadmin workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "EventCode" AS event_id,
  "TargetFilename" AS file_path,
  "CommandLine" AS command_line,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE
    WHEN "EventCode" = '1' AND ("CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR "CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR "CommandLine" ILIKE 'H:\\%') THEN 'ProcessExecutedFromUSB'
    WHEN "EventCode" = '11' AND ("TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR "TargetFilename" ILIKE 'H:\\%') THEN 'FileCreatedOnUSB'
    WHEN "EventCode" = '6416' THEN 'USBDeviceConnected'
    ELSE 'Unknown'
  END AS detection_branch,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$' THEN 1
    ELSE 0
  END AS suspicious_extension_flag
FROM events
WHERE
  logsourcetypeid IN (12, 433)
  AND starttime > NOW() - 1 DAYS
  AND (
    (
      "EventCode" = '1'
      AND (
        "CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR
        "CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR
        "CommandLine" ILIKE 'H:\\%' OR "CommandLine" ILIKE 'I:\\%'
      )
    )
    OR (
      "EventCode" = '11'
      AND (
        "TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR
        "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR
        "TargetFilename" ILIKE 'H:\\%'
      )
      AND LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$'
    )
    OR "EventCode" = '6416'
  )
ORDER BY starttime DESC

AQL rule for IBM QRadar that queries Sysmon and Windows Security event log sources for T1092 indicators: process creation from removable drive letters (Sysmon EID 1), suspicious file creation on USB paths (Sysmon EID 11), and USB device plug-in events (WinEvent 6416). Uses logsourcetypeid 12 (Windows) and 433 (Sysmon) to scope correctly.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM

Required Tables

events

False Positives

IT asset management tools (e.g., SCCM OSD, MDT) creating bootable USB drives containing setup executables and configuration files
Security operations personnel running forensics tools (e.g., FTK Imager, Volatility portable) from USB on incident response endpoints
Removable media policies where employees are permitted to use encrypted USB drives (e.g., IronKey) for approved data transfer workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse "<Data Name='Image'>*</Data>" as process_image nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='User'>*</Data>" as username nodrop
| where event_id in ("1", "11", "6416")
| where (
    (event_id = "1" and (
      command_line matches "D:\\*" or command_line matches "E:\\*" or
      command_line matches "F:\\*" or command_line matches "G:\\*" or
      command_line matches "H:\\*" or command_line matches "I:\\*"
    ))
    or
    (event_id = "11" and (
      target_filename matches "D:\\*" or target_filename matches "E:\\*" or
      target_filename matches "F:\\*" or target_filename matches "G:\\*" or
      target_filename matches "H:\\*"
    ) and (
      target_filename matches "*.exe" or target_filename matches "*.dll" or
      target_filename matches "*.bat" or target_filename matches "*.cmd" or
      target_filename matches "*.ps1" or target_filename matches "*.vbs" or
      target_filename matches "*.js" or target_filename matches "*.hta" or
      target_filename matches "*.dat" or target_filename matches "*.bin" or
      target_filename matches "*.enc" or target_filename matches "*.tmp" or
      target_filename matches "*.cfg" or target_filename matches "*.db"
    ))
    or event_id = "6416"
  )
| eval detection_branch = if(event_id = "1", "ProcessExecutedFromUSB",
    if(event_id = "11", "FileCreatedOnUSB",
    if(event_id = "6416", "USBDeviceConnected", "Unknown")))
| eval is_encoded_extension = if(
    target_filename matches "*.enc" or target_filename matches "*.tmp" or
    target_filename matches "*.cfg" or target_filename matches "*.dat" or
    target_filename matches "*.bin" or target_filename matches "*.db", 1, 0)
| eval is_executable_extension = if(
    target_filename matches "*.exe" or target_filename matches "*.dll" or
    target_filename matches "*.bat" or target_filename matches "*.cmd" or
    target_filename matches "*.ps1" or target_filename matches "*.vbs", 1, 0)
| eval suspicion_score = is_encoded_extension + is_executable_extension
| fields _messageTime, _sourceHost, username, event_id, detection_branch, target_filename, command_line, process_image, parent_image, suspicion_score
| sort by _messageTime desc

Sumo Logic CSE query detecting T1092 via Windows Sysmon operational logs. Parses XML event fields from Sysmon EID 1 (process creation from USB paths), EID 11 (file creation of suspicious types on removable drives), and Windows Security EID 6416 (removable device plug-in). Applies scoring for encoded vs executable file extensions to triage severity.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon via Installed Collector Windows Security Event Log via Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Endpoint configuration management during provisioning workflows where setup scripts are legitimately staged on and executed from USB drives
Pen testers or red team operators running authorized assessments using USB-based payloads — generate ticket-correlated exclusions for known engagement windows
Data exfiltration prevention (DLP) agents themselves reading USB files during content inspection — the agent process will appear in file read telemetry

Google Chronicle / SecOps

yaral

rule T1092_CommunicationThroughRemovableMedia {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1092 Communication Through Removable Media - identifies executable or encoded data files written to removable drives, processes executing from removable drives, and rapid file access patterns after USB mount events."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1092"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      // Branch 1: Executable or script dropped to USB drive
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        $e1.target.file.full_path = /^[D-Id-i]:\\/i
      )
      and (
        $e1.target.file.full_path = /\.(exe|dll|bat|cmd|ps1|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$/i
      )
      and not $e1.principal.process.file.full_path = /explorer\.exe$/i
      and not $e1.principal.process.file.full_path = /robocopy\.exe$/i
    )
    or
    (
      // Branch 2: Process executed from removable media path
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e1.target.process.file.full_path = /^[D-Id-i]:\\/i
        or re.regex($e1.target.process.command_line, `[D-Id-i]:\\`)
      )
      and not $e1.target.process.file.full_path = /setup\.exe$/i
      and not $e1.target.process.file.full_path = /install\.exe$/i
      and not $e1.target.process.file.full_path = /autorun\.exe$/i
    )
    or
    (
      // Branch 3: Encoded/data file written to USB (C2 staging)
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        $e1.target.file.full_path = /^[D-Id-i]:\\/i
      )
      and (
        $e1.target.file.full_path = /\.(enc|tmp|cfg|dat|bin|db)$/i
      )
      and not $e1.principal.process.file.full_path = /explorer\.exe$/i
      and not $e1.principal.process.file.full_path = /backup\.exe$/i
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting T1092 Communication Through Removable Media using UDM events. Three detection branches: (1) executable/script files written to removable drive letters D-I, (2) process launch events where the process binary or command line path originates from removable media, (3) encoded or data staging files written to USB paths by non-legitimate backup processes. Maps directly to the KQL/SPL behavioral logic.

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder CrowdStrike Falcon via Chronicle ingestion Carbon Black via Chronicle ingestion

Required Tables

UDM Events - FILE_CREATION UDM Events - PROCESS_LAUNCH

False Positives

Corporate imaging workflows where Windows PE environment writes OS installer files to USB drives via DISM or WinPE tools
Legitimate use of portable security scanners (ClamAV portable, Malwarebytes portable) executed from USB by IT helpdesk during malware remediation
Software development workflows where developers run build artifacts directly from USB for quick testing on isolated lab machines without network access

CrowdStrike LogScale (CQL)

cql

// Branch 1: Process executed from removable media
#event_simpleName=ProcessRollup2
| ImageFileName = /^\\Device\\HarddiskVolume[0-9]+\\[^\\]+\\/
| CommandLine = /[D-Id-i]:\\/
| CommandLine != /setup\.exe|autorun\.exe|install\.exe/i
| FileName != /setup\.exe|autorun\.exe|install\.exe/i
| eval DetectionBranch="ProcessExecutedFromUSB"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SHA256HashData])

// Branch 2: Suspicious file written to USB paths
#event_simpleName=PeFileWritten
| TargetFileName = /[D-Id-i]:\\/
| eval DetectionBranch="ExecutableDroppedToUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, SHA256HashData, DetectionBranch])

// Branch 3: Script or data file written to removable media
#event_simpleName=NewFileCreated
| TargetFileName = /[D-Id-i]:\\/
| TargetFileName = /\.(ps1|bat|cmd|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$/i
| ContextBaseFileName != /explorer\.exe|robocopy\.exe|xcopy\.exe|backup\.exe/i
| eval DetectionBranch="SuspiciousFileOnUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, ContextCommandLine, SHA256HashData, DetectionBranch])

// Branch 4: USB device mount event
#event_simpleName=RemovableMediaMounted
| eval DetectionBranch="USBDeviceMounted"
| select([@timestamp, ComputerName, UserName, DevicePropertyDeviceDescription, DevicePropertyFriendlyName, DetectionBranch])

// Aggregate all branches for triage
| groupBy([ComputerName, UserName, DetectionBranch], function=[count(as=event_count), min(@timestamp, as=first_seen), max(@timestamp, as=last_seen)])
| sort(field=last_seen, order=desc)

CrowdStrike LogScale (Humio) CQL query for T1092 detection using Falcon sensor telemetry. Covers four behavioral branches using native Falcon event types: ProcessRollup2 for process execution from USB paths, PeFileWritten for PE/executable drops to removable drives, NewFileCreated for script and encoded data file staging, and RemovableMediaMounted for USB insertion baseline. Results are aggregated by host and branch for analyst triage.

high severity medium confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon Insight EDR LogScale (Humio) SIEM

Required Tables

ProcessRollup2 PeFileWritten NewFileCreated RemovableMediaMounted

False Positives

Endpoint provisioning via USB where Falcon sensor itself or its installer components are deployed from removable media during initial host setup
Threat hunting operations where analysts use USB-resident forensics tools (e.g., KAPE, Velociraptor portable) to collect triage artifacts from hosts
Legitimate portable application use in air-gapped or restricted environments where USB is the only approved software distribution channel per organizational policy

Sigma rule & cross-platform mapping

The detection logic for Communication Through Removable Media (T1092) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1092 Sigma rules on detection.fyi

Platform-specific guides for T1092

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stage Encoded Command File on USB Drive
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.
Test 2Execute Payload from USB Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.
Test 3Automated USB File Pickup Simulation
Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.
Test 4USB Device Serial Number Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Communication Through Removable Media

What is T1092 Communication Through Removable Media?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1092

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Command and Control

Popular Detections

What is T1092 Communication Through Removable Media?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1092

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox