Detect Communication Through Removable Media in CrowdStrike LogScale
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1092/
LogScale Detection Query
// Branch 1: Process executed from removable media
#event_simpleName=ProcessRollup2
| ImageFileName = /^\\Device\\HarddiskVolume[0-9]+\\[^\\]+\\/
| CommandLine = /[D-Id-i]:\\/
| CommandLine != /setup\.exe|autorun\.exe|install\.exe/i
| FileName != /setup\.exe|autorun\.exe|install\.exe/i
| eval DetectionBranch="ProcessExecutedFromUSB"
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SHA256HashData])
// Branch 2: Suspicious file written to USB paths
#event_simpleName=PeFileWritten
| TargetFileName = /[D-Id-i]:\\/
| eval DetectionBranch="ExecutableDroppedToUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, SHA256HashData, DetectionBranch])
// Branch 3: Script or data file written to removable media
#event_simpleName=NewFileCreated
| TargetFileName = /[D-Id-i]:\\/
| TargetFileName = /\.(ps1|bat|cmd|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$/i
| ContextBaseFileName != /explorer\.exe|robocopy\.exe|xcopy\.exe|backup\.exe/i
| eval DetectionBranch="SuspiciousFileOnUSB"
| select([@timestamp, ComputerName, UserName, TargetFileName, ContextBaseFileName, ContextCommandLine, SHA256HashData, DetectionBranch])
// Branch 4: USB device mount event
#event_simpleName=RemovableMediaMounted
| eval DetectionBranch="USBDeviceMounted"
| select([@timestamp, ComputerName, UserName, DevicePropertyDeviceDescription, DevicePropertyFriendlyName, DetectionBranch])
// Aggregate all branches for triage
| groupBy([ComputerName, UserName, DetectionBranch], function=[count(as=event_count), min(@timestamp, as=first_seen), max(@timestamp, as=last_seen)])
| sort(field=last_seen, order=desc)CrowdStrike LogScale (Humio) CQL query for T1092 detection using Falcon sensor telemetry. Covers four behavioral branches using native Falcon event types: ProcessRollup2 for process execution from USB paths, PeFileWritten for PE/executable drops to removable drives, NewFileCreated for script and encoded data file staging, and RemovableMediaMounted for USB insertion baseline. Results are aggregated by host and branch for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint provisioning via USB where Falcon sensor itself or its installer components are deployed from removable media during initial host setup
- Threat hunting operations where analysts use USB-resident forensics tools (e.g., KAPE, Velociraptor portable) to collect triage artifacts from hosts
- Legitimate portable application use in air-gapped or restricted environments where USB is the only approved software distribution channel per organizational policy
Other platforms for T1092
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Encoded Command File on USB Drive
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.
- Test 2Execute Payload from USB Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.
- Test 3Automated USB File Pickup Simulation
Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.
- Test 4USB Device Serial Number Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.
References (9)
- https://attack.mitre.org/techniques/T1092/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1092/T1092.md
- https://www.microsoft.com/en-us/security/blog/2016/01/14/sir-volume-19-is-now-available/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.