T1092

Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.

Microsoft Sentinel / Defender

kusto

let RemovableDrivePaths = dynamic(["D:\\", "E:\\", "F:\\", "G:\\", "H:\\", "I:\\", "J:\\"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".cmd", ".ps1", ".vbs", ".js", ".hta", ".dat", ".bin"]);
let EncodedFilePatterns = dynamic([".enc", ".tmp", ".cfg", ".dat", ".bin", ".db"]);
// Branch 1: Executables or scripts written TO removable media
let ExecutablesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (SuspiciousExtensions)
| extend DetectionBranch = "ExecutableDroppedToUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 2: Processes EXECUTING from removable media (command execution on air-gapped side)
let ProcessFromUSB = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths) or ProcessCommandLine has_any (RemovableDrivePaths)
| where FileName !in~ ("setup.exe", "autorun.exe", "install.exe")
| extend DetectionBranch = "ProcessExecutedFromUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 3: Hidden or encoded data files written to USB (C2 data staging)
let DataFilesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (EncodedFilePatterns)
| where InitiatingProcessFileName !in~ ("explorer.exe", "robocopy.exe", "xcopy.exe", "backup.exe")
| extend DetectionBranch = "SuspiciousDataFileOnUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 4: USB device insertion followed by rapid file access (command pickup pattern)
let USBInsertionEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMounted"
| project DeviceName, MountTime=Timestamp;
let RapidUSBAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths)
| join kind=inner USBInsertionEvents on DeviceName
| where Timestamp between (MountTime .. (MountTime + 2m))
| where ActionType == "FileRead"
| extend DetectionBranch = "RapidFileReadAfterMount"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Union all branches
union ExecutablesOnUSB, ProcessFromUSB, DataFilesOnUSB, RapidUSBAccess
| sort by Timestamp desc

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Access File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents DeviceEvents

False Positives

Software developers or IT staff who legitimately copy scripts or executables to USB drives for deployment on offline systems
Legitimate backup solutions that write encrypted backup archives to removable storage
Point-of-sale or industrial control system maintenance technicians who routinely deploy updates via USB in air-gapped environments
Users copying portable applications (PortableApps, SumatraPDF, etc.) to USB drives for personal use
Forensic investigators and incident responders who collect evidence or run analysis tools from USB media

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 (CommandLine="D:\\*" OR CommandLine="E:\\*" OR CommandLine="F:\\*" OR CommandLine="G:\\*" OR CommandLine="H:\\*"))
  OR
  (EventCode=11 (TargetFilename="D:\\*" OR TargetFilename="E:\\*" OR TargetFilename="F:\\*" OR TargetFilename="G:\\*" OR TargetFilename="H:\\*"))
  OR
  (EventCode=6416)
)
| eval EventType=case(
    EventCode=1, "ProcessFromUSB",
    EventCode=11, "FileCreatedOnUSB",
    EventCode=6416, "USBDeviceConnected",
    true(), "Unknown"
  )
| eval FilePath=coalesce(TargetFilename, CommandLine, "")
| eval SuspiciousExtension=if(match(lower(FilePath), "\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$"), 1, 0)
| eval ExecutableOnUSB=if(EventCode=1 AND match(lower(CommandLine), "^[d-h]:\\\\"), 1, 0)
| eval DataFileOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(dat|bin|enc|tmp|cfg|db)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval ScriptOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(ps1|bat|cmd|vbs|js|hta|exe|dll)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval SuspicionScore=ExecutableOnUSB + DataFileOnUSB + ScriptOnUSB + SuspiciousExtension
| where SuspicionScore > 0 OR EventCode=6416
| eval ParentProcessName=coalesce(ParentImage, "N/A")
| table _time, host, User, EventType, EventCode, FilePath, Image, CommandLine, ParentImage, ParentCommandLine, ExecutableOnUSB, DataFileOnUSB, ScriptOnUSB, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Drive: Drive Creation File: File Access File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 6416

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators deploying software or configurations to offline systems via USB
Legitimate data transfer workflows between segregated network segments that require removable media
Backup solutions writing encrypted archives to USB drives
Security researchers or forensic analysts running tools from USB media
Point-of-sale update procedures and industrial control system maintenance using USB media

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "EventCode" AS event_id,
  "TargetFilename" AS file_path,
  "CommandLine" AS command_line,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  CASE
    WHEN "EventCode" = '1' AND ("CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR "CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR "CommandLine" ILIKE 'H:\\%') THEN 'ProcessExecutedFromUSB'
    WHEN "EventCode" = '11' AND ("TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR "TargetFilename" ILIKE 'H:\\%') THEN 'FileCreatedOnUSB'
    WHEN "EventCode" = '6416' THEN 'USBDeviceConnected'
    ELSE 'Unknown'
  END AS detection_branch,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$' THEN 1
    ELSE 0
  END AS suspicious_extension_flag
FROM events
WHERE
  logsourcetypeid IN (12, 433)
  AND starttime > NOW() - 1 DAYS
  AND (
    (
      "EventCode" = '1'
      AND (
        "CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR
        "CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR
        "CommandLine" ILIKE 'H:\\%' OR "CommandLine" ILIKE 'I:\\%'
      )
    )
    OR (
      "EventCode" = '11'
      AND (
        "TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR
        "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR
        "TargetFilename" ILIKE 'H:\\%'
      )
      AND LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$'
    )
    OR "EventCode" = '6416'
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM

Required Tables

events

False Positives

IT asset management tools (e.g., SCCM OSD, MDT) creating bootable USB drives containing setup executables and configuration files
Security operations personnel running forensics tools (e.g., FTK Imager, Volatility portable) from USB on incident response endpoints
Removable media policies where employees are permitted to use encrypted USB drives (e.g., IronKey) for approved data transfer workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse "<Data Name='Image'>*</Data>" as process_image nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='User'>*</Data>" as username nodrop
| where event_id in ("1", "11", "6416")
| where (
    (event_id = "1" and (
      command_line matches "D:\\*" or command_line matches "E:\\*" or
      command_line matches "F:\\*" or command_line matches "G:\\*" or
      command_line matches "H:\\*" or command_line matches "I:\\*"
    ))
    or
    (event_id = "11" and (
      target_filename matches "D:\\*" or target_filename matches "E:\\*" or
      target_filename matches "F:\\*" or target_filename matches "G:\\*" or
      target_filename matches "H:\\*"
    ) and (
      target_filename matches "*.exe" or target_filename matches "*.dll" or
      target_filename matches "*.bat" or target_filename matches "*.cmd" or
      target_filename matches "*.ps1" or target_filename matches "*.vbs" or
      target_filename matches "*.js" or target_filename matches "*.hta" or
      target_filename matches "*.dat" or target_filename matches "*.bin" or
      target_filename matches "*.enc" or target_filename matches "*.tmp" or
      target_filename matches "*.cfg" or target_filename matches "*.db"
    ))
    or event_id = "6416"
  )
| eval detection_branch = if(event_id = "1", "ProcessExecutedFromUSB",
    if(event_id = "11", "FileCreatedOnUSB",
    if(event_id = "6416", "USBDeviceConnected", "Unknown")))
| eval is_encoded_extension = if(
    target_filename matches "*.enc" or target_filename matches "*.tmp" or
    target_filename matches "*.cfg" or target_filename matches "*.dat" or
    target_filename matches "*.bin" or target_filename matches "*.db", 1, 0)
| eval is_executable_extension = if(
    target_filename matches "*.exe" or target_filename matches "*.dll" or
    target_filename matches "*.bat" or target_filename matches "*.cmd" or
    target_filename matches "*.ps1" or target_filename matches "*.vbs", 1, 0)
| eval suspicion_score = is_encoded_extension + is_executable_extension
| fields _messageTime, _sourceHost, username, event_id, detection_branch, target_filename, command_line, process_image, parent_image, suspicion_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon via Installed Collector Windows Security Event Log via Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Endpoint configuration management during provisioning workflows where setup scripts are legitimately staged on and executed from USB drives
Pen testers or red team operators running authorized assessments using USB-based payloads — generate ticket-correlated exclusions for known engagement windows
Data exfiltration prevention (DLP) agents themselves reading USB files during content inspection — the agent process will appear in file read telemetry

Google Chronicle / SecOps

yaral

rule T1092_CommunicationThroughRemovableMedia {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1092 Communication Through Removable Media - identifies executable or encoded data files written to removable drives, processes executing from removable drives, and rapid file access patterns after USB mount events."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1092"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      // Branch 1: Executable or script dropped to USB drive
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        $e1.target.file.full_path = /^[D-Id-i]:\\/i
      )
      and (
        $e1.target.file.full_path = /\.(exe|dll|bat|cmd|ps1|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$/i
      )
      and not $e1.principal.process.file.full_path = /explorer\.exe$/i
      and not $e1.principal.process.file.full_path = /robocopy\.exe$/i
    )
    or
    (
      // Branch 2: Process executed from removable media path
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e1.target.process.file.full_path = /^[D-Id-i]:\\/i
        or re.regex($e1.target.process.command_line, `[D-Id-i]:\\`)
      )
      and not $e1.target.process.file.full_path = /setup\.exe$/i
      and not $e1.target.process.file.full_path = /install\.exe$/i
      and not $e1.target.process.file.full_path = /autorun\.exe$/i
    )
    or
    (
      // Branch 3: Encoded/data file written to USB (C2 staging)
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        $e1.target.file.full_path = /^[D-Id-i]:\\/i
      )
      and (
        $e1.target.file.full_path = /\.(enc|tmp|cfg|dat|bin|db)$/i
      )
      and not $e1.principal.process.file.full_path = /explorer\.exe$/i
      and not $e1.principal.process.file.full_path = /backup\.exe$/i
    )

  condition:
    $e1
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder CrowdStrike Falcon via Chronicle ingestion Carbon Black via Chronicle ingestion

Required Tables

UDM Events - FILE_CREATION UDM Events - PROCESS_LAUNCH

False Positives

Corporate imaging workflows where Windows PE environment writes OS installer files to USB drives via DISM or WinPE tools
Legitimate use of portable security scanners (ClamAV portable, Malwarebytes portable) executed from USB by IT helpdesk during malware remediation
Software development workflows where developers run build artifacts directly from USB for quick testing on isolated lab machines without network access

CrowdStrike LogScale (CQL)

cql

// Branch 1: Process executed from removable media
#event_simpleName=ProcessRollup2
| ImageFileName = /^\\Device\\HarddiskVolume[0-9]+\\[^\\]+\\/
| CommandLine = /[D-Id-i]:\\/
| CommandLine != /setup\.exe|autorun\.exe|install\.exe/i
| FileName != /setup\.exe|autorun\.exe|install\.exe/i
| eval DetectionBranch="ProcessExecutedFromUSB"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SHA256HashData])

// Branch 2: Suspicious file written to USB paths
#event_simpleName=PeFileWritten
| TargetFileName = /[D-Id-i]:\\/
| eval DetectionBranch="ExecutableDroppedToUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, SHA256HashData, DetectionBranch])

// Branch 3: Script or data file written to removable media
#event_simpleName=NewFileCreated
| TargetFileName = /[D-Id-i]:\\/
| TargetFileName = /\.(ps1|bat|cmd|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$/i
| ContextBaseFileName != /explorer\.exe|robocopy\.exe|xcopy\.exe|backup\.exe/i
| eval DetectionBranch="SuspiciousFileOnUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, ContextCommandLine, SHA256HashData, DetectionBranch])

// Branch 4: USB device mount event
#event_simpleName=RemovableMediaMounted
| eval DetectionBranch="USBDeviceMounted"
| select([@timestamp, ComputerName, UserName, DevicePropertyDeviceDescription, DevicePropertyFriendlyName, DetectionBranch])

// Aggregate all branches for triage
| groupBy([ComputerName, UserName, DetectionBranch], function=[count(as=event_count), min(@timestamp, as=first_seen), max(@timestamp, as=last_seen)])
| sort(field=last_seen, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon Insight EDR LogScale (Humio) SIEM

Required Tables

ProcessRollup2 PeFileWritten NewFileCreated RemovableMediaMounted

False Positives

Endpoint provisioning via USB where Falcon sensor itself or its installer components are deployed from removable media during initial host setup
Threat hunting operations where analysts use USB-resident forensics tools (e.g., KAPE, Velociraptor portable) to collect triage artifacts from hosts
Legitimate portable application use in air-gapped or restricted environments where USB is the only approved software distribution channel per organizational policy

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Communication Through Removable Media

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections