title: Communication Through Removable Media (T1092)
id: df00tech-t1092
status: experimental
description: "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement via Replication Through Removable Media. Commands and files are relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. This technique has been observed in APT28/Fancy Bear operations using CHOPSTICK and USBStealer malware to bridge air-gapped networks, writing encoded command files to USB drives on internet-connected hosts and reading results from the same media when re-inserted."
references:
  - https://attack.mitre.org/techniques/T1092/
  - https://df00tech.com/detections/T1092
author: df00tech
date: 2026/04/13
tags:
  - attack.t1092
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers or IT staff who legitimately copy scripts or executables to USB drives for deployment on offline systems
  - Legitimate backup solutions that write encrypted backup archives to removable storage
  - Point-of-sale or industrial control system maintenance technicians who routinely deploy updates via USB in air-gapped environments
  - "Users copying portable applications (PortableApps, SumatraPDF, etc.) to USB drives for personal use"
  - Forensic investigators and incident responders who collect evidence or run analysis tools from USB media
level: high