Detect Communication Through Removable Media in IBM QRadar
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1092/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
sourceip,
QIDNAME(qid) AS event_name,
"EventCode" AS event_id,
"TargetFilename" AS file_path,
"CommandLine" AS command_line,
"Image" AS process_image,
"ParentImage" AS parent_image,
CASE
WHEN "EventCode" = '1' AND ("CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR "CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR "CommandLine" ILIKE 'H:\\%') THEN 'ProcessExecutedFromUSB'
WHEN "EventCode" = '11' AND ("TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR "TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR "TargetFilename" ILIKE 'H:\\%') THEN 'FileCreatedOnUSB'
WHEN "EventCode" = '6416' THEN 'USBDeviceConnected'
ELSE 'Unknown'
END AS detection_branch,
CASE
WHEN LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$' THEN 1
ELSE 0
END AS suspicious_extension_flag
FROM events
WHERE
logsourcetypeid IN (12, 433)
AND starttime > NOW() - 1 DAYS
AND (
(
"EventCode" = '1'
AND (
"CommandLine" ILIKE 'D:\\%' OR "CommandLine" ILIKE 'E:\\%' OR
"CommandLine" ILIKE 'F:\\%' OR "CommandLine" ILIKE 'G:\\%' OR
"CommandLine" ILIKE 'H:\\%' OR "CommandLine" ILIKE 'I:\\%'
)
)
OR (
"EventCode" = '11'
AND (
"TargetFilename" ILIKE 'D:\\%' OR "TargetFilename" ILIKE 'E:\\%' OR
"TargetFilename" ILIKE 'F:\\%' OR "TargetFilename" ILIKE 'G:\\%' OR
"TargetFilename" ILIKE 'H:\\%'
)
AND LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|cmd|ps1|vbs|js|hta|dat|bin|enc|tmp|cfg|db)$'
)
OR "EventCode" = '6416'
)
ORDER BY starttime DESCAQL rule for IBM QRadar that queries Sysmon and Windows Security event log sources for T1092 indicators: process creation from removable drive letters (Sysmon EID 1), suspicious file creation on USB paths (Sysmon EID 11), and USB device plug-in events (WinEvent 6416). Uses logsourcetypeid 12 (Windows) and 433 (Sysmon) to scope correctly.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management tools (e.g., SCCM OSD, MDT) creating bootable USB drives containing setup executables and configuration files
- Security operations personnel running forensics tools (e.g., FTK Imager, Volatility portable) from USB on incident response endpoints
- Removable media policies where employees are permitted to use encrypted USB drives (e.g., IronKey) for approved data transfer workflows
Other platforms for T1092
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Encoded Command File on USB Drive
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.
- Test 2Execute Payload from USB Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.
- Test 3Automated USB File Pickup Simulation
Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.
- Test 4USB Device Serial Number Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.
References (9)
- https://attack.mitre.org/techniques/T1092/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1092/T1092.md
- https://www.microsoft.com/en-us/security/blog/2016/01/14/sir-volume-19-is-now-available/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.