Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0733: Detection of Replication Through Removable Media

DET0733 is a detection strategy for spotting replication through removable media in ICS environments. Its business significance is that removable media can...

ICSDET0733Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0733 is a detection strategy for spotting replication through removable media in ICS environments. Its business significance is that removable media can bridge gaps between enterprise networks and isolated control-system environments, including systems that are not normally reachable over untrusted networks. This makes it a resilience and governance issue, not just a malware issue: organizations need evidence that physical access, supplier/contractor workflows, and removable-media handling are monitored and controlled.

Executive priority

Prioritize this where control-system operations depend on segmented or offline assets and where suppliers, contractors, or operators use portable media. Leaders should ask whether removable-media use is authorized, logged, reviewed, and tied to incident response procedures. The decision value is in validating whether existing physical security, operational technology procedures, SOC monitoring, and compliance evidence can prove that removable media is governed before it becomes an initial-access path into sensitive environments.

Technical view

The ATT&CK object provides no official detection text, platforms, or tactics, but it detects ICS technique T0847, Replication Through Removable Media. SOC, OT security, and IR teams should therefore validate visibility around removable-media insertion and file movement into control-system environments, especially where systems are physically accessible or separated from enterprise networks. Because the related technique can involve trusted third parties, detection engineering should include context for authorized maintenance windows, contractor activity, approved media, and exceptions so alerts do not become either noisy or blind to misuse.

Likely telemetry

  • Removable-media insertion and mount events where available
  • Endpoint file creation, copy, and execution records on systems that interact with removable media
  • Malware scanning or media-control logs from transfer stations or jump systems, if deployed
  • Physical access, visitor, supplier, and contractor access records relevant to control-system areas
  • Change-management or maintenance records authorizing removable-media use

Detection direction

  • Inventory where removable media is permitted in the ICS environment and verify that those points produce usable logs.
  • Correlate media-use events with authorized maintenance, supplier, contractor, and operator activity to distinguish expected operations from suspicious introduction paths.
  • Validate whether monitoring covers offline, segmented, or physically accessible systems rather than only enterprise-connected endpoints.
  • Tune for unusual file introduction, unexpected executable content, repeated use of unknown media, or media activity outside approved windows, while accounting for legitimate OT maintenance workflows.
  • Document blind spots explicitly where host logging, centralized collection, or physical access records are unavailable.

Mitigation priorities

  • Establish and enforce removable-media governance for control-system environments, including authorization, handling, and review procedures.
  • Use approved transfer processes and scanning points where operationally feasible before media reaches sensitive systems.
  • Restrict removable-media use to defined roles, assets, and maintenance scenarios, with exception tracking.
  • Align physical access controls, supplier/contractor procedures, and OT change management with SOC and IR visibility requirements.
  • Test incident response playbooks for suspected removable-media introduction into segmented or offline ICS assets.
Analyst notes and limits

This take is based on the ATT&CK detection strategy DET0733 and its relationship to ICS technique T0847. The practical focus is on defensive validation because the supplied object contains no official description or detection guidance. The relationship context indicates removable media may be used to reach physically accessible control-system environments, potentially via trusted third parties such as suppliers or contractors.

ATT&CK did not provide platforms, tactics, aliases, labels, an official description, or official detection text for DET0733 in the supplied fields. The related T0847 description is truncated in the source material. Local architecture, removable-media policy, OT asset visibility, and physical-access evidence are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Detection of Replication Through Removable Media

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0847 Replication Through Removable Media This object detects Replication Through Removable Media.
Relationship explorer

All related ATT&CK context

detects · Technique T0847: Replication Through Removable Media ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
213c5e4e365ae882...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 213c5e4e365a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0733
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use