Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1866: Analytic 1866

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. Monitor for newly constructed files copied to or from removable media. Monitor for newly constructed drive letters or mount points to removable media. Monitor for files accessed on removable media, particularly those with executable content.

ICSAN1866AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1866 is a detection analytic focused on activity around removable media: new mount points or drive letters, files copied to or from the media, files accessed on the media, and processes executed from it. For an ICS environment, this matters because removable media can bridge operational systems and less-trusted environments, making it important for both cyber investigation and cyber-physical risk management. The analytic is not a claim of malicious activity by itself; it is a prompt to prove whether the organization can see and investigate removable-media execution and follow-on behavior such as network connections or discovery activity.

Executive priority

Treat this as a resilience and evidence question: can the organization account for removable-media use in sensitive environments, especially where normal endpoint or network visibility may be limited? Leaders should ask whether removable-media monitoring is covered in SOC use cases, incident response playbooks, compliance evidence, and operational procedures. Priority is higher where removable media is used for maintenance, engineering transfer, vendor support, or isolated ICS workflows, because those legitimate uses can also create blind spots.

Technical view

Validate telemetry for three event groups described by the analytic: removable media mount or drive-letter creation, file construction or copy activity to and from removable media, and process execution from removable media. If execution is observed, triage should include the initiating user, parent process, executable path, file metadata, timing relative to mount, and any subsequent network connections or system/network discovery behavior. Because no ATT&CK platforms, tactics, relationships, or separate detection logic are supplied, detection engineering should keep the analytic behavior-centric rather than assuming a specific operating system, tool, or attack chain.

Likely telemetry

  • Removable media mount events, drive-letter creation, or mount-point creation
  • File creation and copy events involving removable media paths
  • File access events on removable media, especially executable content
  • Process creation events where the image or working directory is on removable media
  • User initiation context, including logged-on user and parent process

Detection direction

  • Correlate removable-media mount events with process creation from the same media shortly afterward.
  • Alert or review when executable content is accessed or launched from removable media, while accounting for authorized maintenance and engineering workflows.
  • Monitor files copied to or from removable media and preserve enough path, user, and timestamp detail for investigation.
  • After removable-media execution, look for additional actions noted by ATT&CK, including network connections for command and control and system or network information discovery.
  • Tune with local allowlists for approved removable-media procedures, but avoid broad exclusions that remove visibility from high-risk ICS transfer paths.

Mitigation priorities

  • Establish and document authorized removable-media use cases, owners, and handling procedures for sensitive environments.
  • Prioritize logging and retention for removable-media mounts, file movement, file access, and process execution before relying on alerting.
  • Restrict or control execution from removable media where operationally feasible, especially on systems supporting critical processes.
  • Use incident response playbooks that require follow-on review of network connections and discovery behavior after any suspicious removable-media execution.
  • Maintain compliance-ready evidence showing how removable-media activity is monitored, reviewed, and governed in ICS-relevant workflows.
Analyst notes and limits

The supplied object is an ICS ATT&CK detection analytic, AN1866, with an official description but no separate official detection section, no platforms, no tactics, and no relationship context. The strongest defensive value is coverage validation: proving that removable-media activity can be observed, correlated, and investigated without assuming a specific adversary or tool.

This take is limited to the official STIX fields, external reference, and description provided. It does not establish active exploitation, attribution, affected platforms, or guaranteed detection. Local environment knowledge is required to distinguish approved removable-media workflows from suspicious behavior and to determine which telemetry sources are available.

Official MITRE ATT&CK definition

Analytic 1866

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. Monitor for newly constructed files copied to or from removable media. Monitor for newly constructed drive letters or mount points to removable media. Monitor for files accessed on removable media, particularly those with executable content.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
399b2f0fb21a112d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 399b2f0fb21a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1866
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use