Detect Communication Through Removable Media in Splunk
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1092/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
(EventCode=1 (CommandLine="D:\\*" OR CommandLine="E:\\*" OR CommandLine="F:\\*" OR CommandLine="G:\\*" OR CommandLine="H:\\*"))
OR
(EventCode=11 (TargetFilename="D:\\*" OR TargetFilename="E:\\*" OR TargetFilename="F:\\*" OR TargetFilename="G:\\*" OR TargetFilename="H:\\*"))
OR
(EventCode=6416)
)
| eval EventType=case(
EventCode=1, "ProcessFromUSB",
EventCode=11, "FileCreatedOnUSB",
EventCode=6416, "USBDeviceConnected",
true(), "Unknown"
)
| eval FilePath=coalesce(TargetFilename, CommandLine, "")
| eval SuspiciousExtension=if(match(lower(FilePath), "\.(exe|dll|bat|cmd|ps1|vbs|js|hta|bin|dat|enc)$"), 1, 0)
| eval ExecutableOnUSB=if(EventCode=1 AND match(lower(CommandLine), "^[d-h]:\\\\"), 1, 0)
| eval DataFileOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(dat|bin|enc|tmp|cfg|db)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval ScriptOnUSB=if(EventCode=11 AND match(lower(TargetFilename), "\.(ps1|bat|cmd|vbs|js|hta|exe|dll)$") AND match(TargetFilename, "^[D-H]:\\\\"), 1, 0)
| eval SuspicionScore=ExecutableOnUSB + DataFileOnUSB + ScriptOnUSB + SuspiciousExtension
| where SuspicionScore > 0 OR EventCode=6416
| eval ParentProcessName=coalesce(ParentImage, "N/A")
| table _time, host, User, EventType, EventCode, FilePath, Image, CommandLine, ParentImage, ParentCommandLine, ExecutableOnUSB, DataFileOnUSB, ScriptOnUSB, SuspicionScore
| sort - _timeDetects USB-based C2 communication using Sysmon and Windows Security events. Monitors Sysmon Event ID 1 (Process Creation) for processes spawned with USB drive paths in command lines, Event ID 11 (File Create) for executables and encoded data files written to removable drives, and Security Event ID 6416 for USB device connection events. Assigns a suspicion score across multiple indicators to prioritize high-fidelity alerts while surfacing all USB device events for correlation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators deploying software or configurations to offline systems via USB
- Legitimate data transfer workflows between segregated network segments that require removable media
- Backup solutions writing encrypted archives to USB drives
- Security researchers or forensic analysts running tools from USB media
- Point-of-sale update procedures and industrial control system maintenance using USB media
Other platforms for T1092
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Encoded Command File on USB Drive
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.
- Test 2Execute Payload from USB Drive
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.
- Test 3Automated USB File Pickup Simulation
Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.
- Test 4USB Device Serial Number Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.
References (9)
- https://attack.mitre.org/techniques/T1092/
- https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1092/T1092.md
- https://www.microsoft.com/en-us/security/blog/2016/01/14/sir-volume-19-is-now-available/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.