Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0090: Cross-host C2 via Removable Media Relay

DET0090 points defenders toward detecting command-and-control that is relayed between hosts using removable media. The business significance is that remova...

EnterpriseDET0090Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0090 points defenders toward detecting command-and-control that is relayed between hosts using removable media. The business significance is that removable media can bridge network boundaries, including partially disconnected or segmented environments, so normal network monitoring may not see the full command path. This matters most where USB/removable media is allowed for operations, maintenance, file transfer, or work across separated networks.

Executive priority

Treat this as a resilience and control-validation issue rather than a single alert rule. Leaders should ask whether the organization can prove where removable media is used, which systems accept it, whether security teams collect host evidence from those systems, and how incident responders would investigate a suspected media-based relay across Windows, macOS, and Linux environments associated with the related ATT&CK technique T1092. It is especially relevant to audit evidence, segmentation assurance, and cyber-physical or operational environments where removable media may be part of normal workflow.

Technical view

The detection strategy object itself has no official description, platform list, tactics, or detection text. Its relationship says it detects T1092, Communication Through Removable Media, a command-and-control technique involving compromised hosts relaying commands and files via removable media, potentially across disconnected networks. SOC and IR teams should validate whether endpoint telemetry can correlate removable media insertion, file creation/modification on removable volumes, process execution from or writing to removable paths, and unusual cross-host file artifacts. Because the detection object lacks detailed analytics, local baselining is required to separate legitimate removable-media workflows from suspicious relay behavior.

Likely telemetry

  • Endpoint removable media insertion and mount events
  • File creation, modification, copy, and deletion events on removable volumes
  • Process execution involving removable-media paths
  • Host inventory and device-control logs showing systems that permit removable media
  • EDR or operating system audit logs from Windows, macOS, and Linux hosts where the related technique is applicable

Detection direction

  • Validate that removable-media activity is logged on systems where the organization permits USB or similar devices; network-only monitoring may miss this behavior.
  • Correlate media-use events across multiple hosts, especially when the same volume or similar file artifacts appear on both Internet-connected and segmented/disconnected systems.
  • Tune for local business processes: software transfer, maintenance, backups, and operational workflows can create benign removable-media noise.
  • Look for suspicious combinations rather than isolated insertions, such as removable media use plus new executable/script files, command files, staged outputs, or process execution from removable paths.
  • Confirm coverage across the platforms identified for the related technique—Linux, macOS, and Windows—rather than assuming one endpoint logging approach covers all.

Mitigation priorities

  • First, establish policy and inventory for where removable media is authorized, especially across segmented or sensitive environments.
  • Prioritize device-control and least-function access controls on systems where removable media is not operationally required.
  • Where removable media is required, require logging, scanning, and defined handling procedures that preserve investigation evidence.
  • Ensure incident response playbooks include collection from both the removable device and every host that interacted with it.
  • Use the detection relationship to T1092 to test whether command-and-control assumptions depend too heavily on network telemetry and miss cross-host removable-media relay scenarios.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to ATT&CK technique T1092. The object name provides the core detection theme, while the related technique supplies the command-and-control context and applicable platforms. No vendor-specific controls, active exploitation claims, or attribution are supported by the supplied fields.

The official detection strategy has no description, no detection text, no tactics, and no platforms specified. Practical analytics, thresholds, and false-positive handling must be derived from local telemetry, removable-media policy, and environment-specific workflows.

Official MITRE ATT&CK definition

Cross-host C2 via Removable Media Relay

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1092 Communication Through Removable Media This object detects Communication Through Removable Media.
Relationship explorer

All related ATT&CK context

detects · Technique T1092: Communication Through Removable Media Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
471deaabe68b9909...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 471deaabe68b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0090
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use