T1092 Sumo Logic CSE · Sumo

Detect Communication Through Removable Media in Sumo Logic CSE

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1092 Communication Through Removable Media
Canonical reference
https://attack.mitre.org/techniques/T1092/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse "<Data Name='Image'>*</Data>" as process_image nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='User'>*</Data>" as username nodrop
| where event_id in ("1", "11", "6416")
| where (
    (event_id = "1" and (
      command_line matches "D:\\*" or command_line matches "E:\\*" or
      command_line matches "F:\\*" or command_line matches "G:\\*" or
      command_line matches "H:\\*" or command_line matches "I:\\*"
    ))
    or
    (event_id = "11" and (
      target_filename matches "D:\\*" or target_filename matches "E:\\*" or
      target_filename matches "F:\\*" or target_filename matches "G:\\*" or
      target_filename matches "H:\\*"
    ) and (
      target_filename matches "*.exe" or target_filename matches "*.dll" or
      target_filename matches "*.bat" or target_filename matches "*.cmd" or
      target_filename matches "*.ps1" or target_filename matches "*.vbs" or
      target_filename matches "*.js" or target_filename matches "*.hta" or
      target_filename matches "*.dat" or target_filename matches "*.bin" or
      target_filename matches "*.enc" or target_filename matches "*.tmp" or
      target_filename matches "*.cfg" or target_filename matches "*.db"
    ))
    or event_id = "6416"
  )
| eval detection_branch = if(event_id = "1", "ProcessExecutedFromUSB",
    if(event_id = "11", "FileCreatedOnUSB",
    if(event_id = "6416", "USBDeviceConnected", "Unknown")))
| eval is_encoded_extension = if(
    target_filename matches "*.enc" or target_filename matches "*.tmp" or
    target_filename matches "*.cfg" or target_filename matches "*.dat" or
    target_filename matches "*.bin" or target_filename matches "*.db", 1, 0)
| eval is_executable_extension = if(
    target_filename matches "*.exe" or target_filename matches "*.dll" or
    target_filename matches "*.bat" or target_filename matches "*.cmd" or
    target_filename matches "*.ps1" or target_filename matches "*.vbs", 1, 0)
| eval suspicion_score = is_encoded_extension + is_executable_extension
| fields _messageTime, _sourceHost, username, event_id, detection_branch, target_filename, command_line, process_image, parent_image, suspicion_score
| sort by _messageTime desc
high severity medium confidence

Sumo Logic CSE query detecting T1092 via Windows Sysmon operational logs. Parses XML event fields from Sysmon EID 1 (process creation from USB paths), EID 11 (file creation of suspicious types on removable drives), and Windows Security EID 6416 (removable device plug-in). Applies scoring for encoded vs executable file extensions to triage severity.

Data Sources

Sumo Logic Cloud SIEM EnterpriseWindows Sysmon via Installed CollectorWindows Security Event Log via Installed Collector

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • Endpoint configuration management during provisioning workflows where setup scripts are legitimately staged on and executed from USB drives
  • Pen testers or red team operators running authorized assessments using USB-based payloads — generate ticket-correlated exclusions for known engagement windows
  • Data exfiltration prevention (DLP) agents themselves reading USB files during content inspection — the agent process will appear in file read telemetry
Download portable Sigma rule (.yml)

Other platforms for T1092

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Encoded Command File on USB Drive

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=E:\system.dat, Image=powershell.exe. Sysmon Event ID 1 (Process Create): CommandLine containing 'Out-File' and 'E:\'. DeviceFileEvents in MDE: ActionType=FileCreated, FolderPath=E:\, FileName=system.dat, InitiatingProcessFileName=powershell.exe.

  2. Test 2Execute Payload from USB Drive

    Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, CommandLine=cmd.exe /c E:\update.bat. Parent process is cmd.exe or the test shell. Sysmon Event ID 11: TargetFilename=E:\update.bat and E:\output.dat. Security Event ID 4688 (if command line auditing enabled): NewProcessName contains E:\update.bat. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine contains 'E:\update.bat'.

  3. Test 3Automated USB File Pickup Simulation

    Expected signal: Multiple Sysmon Event ID 11 entries for file creation on E:\ by powershell.exe (cmd_*.dat and rsp_*.dat). Sysmon Event ID 1: PowerShell process with Get-Content and Out-File accessing removable drive. DeviceFileEvents: multiple FileCreated and FileRead actions on E:\ within a short time window — triggers the rapid-access-after-mount correlation branch.

  4. Test 4USB Device Serial Number Enumeration

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'USBSTOR' and 'Win32_DiskDrive'. Security Event ID 4663 (if object access auditing enabled on registry): access to HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. DeviceProcessEvents: PowerShell process accessing registry via Get-ItemProperty with USBSTOR path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1092 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1091Replication Through Removable MediaT1052Exfiltration Over Physical MediumT1052.001Exfiltration over USBT1027Obfuscated Files or InformationT1025Data from Removable MediaT1074.001Local Data StagingT1059.001PowerShellT1547.001Registry Run Keys / Startup FolderT1005Data from Local System

Same Tactic: Command and Control

Popular Detections