Detect Communication Through Removable Media in Microsoft Sentinel
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1092/
KQL Detection Query
let RemovableDrivePaths = dynamic(["D:\\", "E:\\", "F:\\", "G:\\", "H:\\", "I:\\", "J:\\"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".cmd", ".ps1", ".vbs", ".js", ".hta", ".dat", ".bin"]);
let EncodedFilePatterns = dynamic([".enc", ".tmp", ".cfg", ".dat", ".bin", ".db"]);
// Branch 1: Executables or scripts written TO removable media
let ExecutablesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (SuspiciousExtensions)
| extend DetectionBranch = "ExecutableDroppedToUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 2: Processes EXECUTING from removable media (command execution on air-gapped side)
let ProcessFromUSB = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths) or ProcessCommandLine has_any (RemovableDrivePaths)
| where FileName !in~ ("setup.exe", "autorun.exe", "install.exe")
| extend DetectionBranch = "ProcessExecutedFromUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 3: Hidden or encoded data files written to USB (C2 data staging)
let DataFilesOnUSB = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RemovableDrivePaths)
| where FileName has_any (EncodedFilePatterns)
| where InitiatingProcessFileName !in~ ("explorer.exe", "robocopy.exe", "xcopy.exe", "backup.exe")
| extend DetectionBranch = "SuspiciousDataFileOnUSB"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, SHA256;
// Branch 4: USB device insertion followed by rapid file access (command pickup pattern)
let USBInsertionEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMounted"
| project DeviceName, MountTime=Timestamp;
let RapidUSBAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (RemovableDrivePaths)
| join kind=inner USBInsertionEvents on DeviceName
| where Timestamp between (MountTime .. (MountTime + 2m))
| where ActionType == "FileRead"
| extend DetectionBranch = "RapidFileReadAfterMount"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Union all branches
union ExecutablesOnUSB, ProcessFromUSB, DataFilesOnUSB, RapidUSBAccess
| sort by Timestamp descMulti-branch detection for USB-based C2 communication patterns. Branch 1 identifies executables or scripts written to removable media (command staging). Branch 2 detects processes executing directly from USB drives (command execution on air-gapped side). Branch 3 finds hidden or encoded data files written to USB (C2 response staging). Branch 4 correlates USB insertion events with rapid file reads within 2 minutes (automated command pickup). Together these branches model the full APT28/USBStealer lifecycle of dropping commands, executing them on air-gapped hosts, and exfiltrating results via the same media.
Data Sources
Required Tables
False Positives & Tuning
- Software developers or IT staff who legitimately copy scripts or executables to USB drives for deployment on offline systems
- Legitimate backup solutions that write encrypted backup archives to removable storage
- Point-of-sale or industrial control system maintenance technicians who routinely deploy updates via USB in air-gapped environments
- Users copying portable applications (PortableApps, SumatraPDF, etc.) to USB drives for personal use
- Forensic investigators and incident responders who collect evidence or run analysis tools from USB media
Other platforms for T1092
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Encoded Command File on USB Drive
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.
- Test 2Execute Payload from USB Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.
- Test 3Automated USB File Pickup Simulation
Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.
- Test 4USB Device Serial Number Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.
References (9)
- https://attack.mitre.org/techniques/T1092/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1092/T1092.md
- https://www.microsoft.com/en-us/security/blog/2016/01/14/sir-volume-19-is-now-available/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.