DET0691: Detection of Replication Through Removable Media
This detection strategy matters because removable media and USB-style physical connections can become a path for malware or unauthorized access to mobile d...
Analyst context for executives and security teams
This detection strategy matters because removable media and USB-style physical connections can become a path for malware or unauthorized access to mobile devices. For leaders, the practical issue is not just malware movement; it is whether the organization can prove it manages risky mobile-to-PC, mobile-to-charging-station, and other physical connection scenarios that may bypass normal application store controls.
Executive priority
Prioritize this as a mobile security and physical-access risk question: which business-critical users, locations, devices, or workflows allow Android or iOS devices to connect to PCs, charging stations, kiosks, or other removable-media-style interfaces? Executives should ask whether mobile device policy, user guidance, incident response procedures, and compliance evidence address these physical connection risks, especially where mobile devices handle sensitive data or support operational continuity.
Technical view
The supplied ATT&CK context links DET0691 to T1458, Replication Through Removable Media, in the mobile domain for Android and iOS. SOC, detection engineering, and IR teams should validate whether they have visibility into mobile device connection events, USB or host-pairing activity, side-loaded or directly installed applications, trust prompts, profile or configuration changes, and data access following physical connection. Because the official detection text is not provided, local detection logic should be built around environment-specific mobile management telemetry and known-normal connection patterns rather than assuming ATT&CK provides a ready analytic.
Likely telemetry
- Mobile device management or enterprise mobility management events for Android and iOS devices
- USB, host-pairing, device trust, or physical connection records where available
- Application installation events, especially installations outside expected managed channels
- Mobile security alerts related to suspicious apps, configuration changes, or unauthorized access
- Endpoint or workstation logs for systems that commonly connect to mobile devices
Detection direction
- Confirm whether mobile telemetry can distinguish expected user charging/sync behavior from unusual connection, trust, or installation events.
- Baseline approved device-to-host connection patterns for high-risk users and sensitive environments.
- Tune for combinations of physical connection plus unexpected application installation, configuration change, or access to stored data.
- Account for false positives from legitimate device backups, mobile testing, help desk support, development workflows, and approved file transfer processes.
- Review blind spots where personal devices, unmanaged charging stations, kiosks, or non-enrolled mobile devices are outside logging and policy enforcement.
Mitigation priorities
- Define policy for where and how managed Android and iOS devices may connect to PCs, kiosks, charging stations, or other physical interfaces.
- Use mobile device management controls and configuration baselines where available to restrict unauthorized application installation and risky trust relationships.
- Maintain asset and exception lists for approved mobile support, backup, testing, or development workflows.
- Train users on the risk of untrusted charging stations and unknown computers, especially for sensitive roles.
- Ensure incident response playbooks cover collection from both the mobile device and any connected host or physical access point.
Analyst notes and limits
DET0691 is a detection strategy object for mobile ATT&CK and detects T1458, Replication Through Removable Media. The relationship context supports Android and iOS relevance through the related technique. Since the official description and detection fields are not provided, this take focuses on validation questions, telemetry classes, and control priorities rather than a specific analytic rule.
The object has no official description, no official detection text, no listed tactics, and no platforms directly on the detection strategy itself. Android and iOS are supported only through the related T1458 technique. Local device management architecture, ownership model, and logging availability are required to determine actual coverage.
Detection of Replication Through Removable Media
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1458 | Replication Through Removable Media | This object detects Replication Through Removable Media. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e07d9773d720… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0691Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.