title: Replication Through Removable Media (T1091)
id: df00tech-t1091
status: experimental
description: "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system. This technique serves dual purposes: Initial Access (introducing malware into isolated or air-gapped environments) and Lateral Movement (propagating between networked systems via USB). Common implementations include creating autorun.inf files that auto-execute malware on media insertion, copying malicious executables to the drive root disguised as legitimate files, and creating LNK shortcut files that silently execute hidden payloads. Notable threat actors include Stuxnet (targeting air-gapped ICS/SCADA networks via CVE-2010-2568 LNK vulnerability), Flame (modular USB infection framework), Gamaredon Group (LNK files on all removable and network drives via UserAssist persistence), Mustang Panda and APT30 (customized PlugX USB variants), Raspberry Robin (worm spread via infected USB media), HIUPAN (periodic drive polling for propagation), and Aoqin Dragon (removable device dropper for breaching secure network environments)."
references:
  - https://attack.mitre.org/techniques/T1091/
  - https://df00tech.com/detections/T1091
author: df00tech
date: 2026/04/18
tags:
  - attack.t1091
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installations from USB drives — legitimate setup.exe or msiexec.exe processes writing executable files to D: or E: drives during product installation or portable app setup"
  - "Backup software (Acronis, Veeam, Windows Backup, robocopy scripts) writing backup archives or system images containing executables to external USB hard drives on scheduled backup paths"
  - "IT administrators manually copying diagnostic tools, deployment packages, or OS installers to removable media for endpoint remediation or imaging tasks"
  - "Portable application suites (PortableApps.com platform, U3 smart drive) that legitimately store and execute full application stacks from USB drives by design"
  - "Multi-drive workstations where D:, E:, or other letters refer to secondary fixed internal drives (NVMe, SSD, HDD) rather than removable media — tuning against known fixed drive letters in your environment is required"
  - "Developer workflows using large external drives to store build toolchains, compilers, or VM images accessed directly from non-C: drive paths"
level: high