Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0301: Removable Media Execution Chain Detection via File and Process Activity

This detection strategy matters because removable media can bridge normal network boundaries, including disconnected or tightly controlled environments. Fo...

EnterpriseDET0301Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because removable media can bridge normal network boundaries, including disconnected or tightly controlled environments. For leaders, the practical question is whether the organization can recognize suspicious file creation and execution activity tied to USB or other removable media before it becomes initial access or lateral movement. The ATT&CK record is sparse, but its relationship to Replication Through Removable Media makes it relevant to endpoint monitoring, incident response readiness, and environments where physical device use can affect cyber risk.

Executive priority

Prioritize this as a resilience and evidence question: do business-critical Windows environments, sensitive operations, and any disconnected or controlled networks have policy, monitoring, and response processes for removable media use? This supports budget and control decisions around endpoint visibility, device control, user workflow exceptions, and audit evidence for removable media governance. It is especially important where removable media is still required for operations, maintenance, or data transfer.

Technical view

DET0301 is a detection strategy for identifying a removable media execution chain through file and process activity. The only explicit relationship provided is that it detects T1091, Replication Through Removable Media, a Windows technique associated with initial access and lateral movement. SOC and detection engineering teams should validate whether they can correlate removable media insertion or mounted media context with file writes, renamed or suspicious executables, Autorun-related behavior where observable, and subsequent process execution from removable paths. Because the official detection text and platforms for DET0301 are not provided, implementation should be based on local telemetry capabilities and the related T1091 context rather than assuming complete ATT&CK-provided logic.

Likely telemetry

  • Endpoint file activity involving removable media paths or newly mounted volumes
  • Endpoint process creation telemetry showing execution from removable media locations
  • Device or volume mount events, where collected
  • File rename, copy, or modification events on removable media
  • Security logs or endpoint management records showing removable media use

Detection direction

  • Validate that endpoint telemetry can connect a removable media event to subsequent file creation and process execution on the same host.
  • Tune for execution from removable media and for files copied to removable media that are renamed to appear legitimate, while accounting for approved administrative, maintenance, or operational workflows.
  • Use the relationship to T1091 to frame triage around initial access and lateral movement, particularly on Windows systems.
  • Check blind spots where removable media insertion is logged but file activity or process command-line detail is not retained.
  • Avoid treating every removable media use as malicious; establish baselines and approved-use exceptions to reduce false positives.

Mitigation priorities

  • Establish or review removable media policy, including where use is prohibited, restricted, or business-approved.
  • Prioritize endpoint visibility for file, process, and device activity on systems where removable media is permitted.
  • Apply device control and execution control measures where operationally feasible, especially for sensitive Windows environments.
  • Document exceptions and monitoring expectations so SOC and audit teams can distinguish approved workflows from suspicious execution chains.
  • Ensure incident response playbooks include containment and evidence collection steps for suspected removable media initial access or lateral movement.
Analyst notes and limits

The value of this object comes primarily from its relationship to T1091 and from the strategy name, which indicates a file-and-process activity approach to removable media execution chains. This should be treated as a coverage validation prompt: confirm whether the organization can observe the chain from removable media presence to file activity to process execution, then map that evidence to response actions.

The supplied DET0301 object has no official description, no official detection text, no tactics, and no platforms specified. The related technique provides Windows, initial-access, and lateral-movement context, but local logging, endpoint tooling, and removable media business processes determine whether useful detection is possible. No claim is made about active exploitation, attribution, impact, or existing coverage.

Official MITRE ATT&CK definition

Removable Media Execution Chain Detection via File and Process Activity

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1091 Replication Through Removable Media This object detects Replication Through Removable Media.
Relationship explorer

All related ATT&CK context

detects · Technique T1091: Replication Through Removable Media Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
07d690a08f61250b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 07d690a08f61…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0301
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use