T1092: Communication Through Removable Media

This technique matters when an organization relies on segmented, isolated, or air-gapped systems for resilience. ATT&CK describes adversaries relaying commands and files between already compromised hosts using removable media, allowing command-and-control activity to bridge networks that may not have direct Internet connectivity.

Executive priority

Treat this as a control-validation issue for high-value disconnected environments: industrial systems, sensitive research networks, restricted enclaves, and recovery infrastructure. Leaders should ask whether removable media use is governed, logged, and reviewable across Windows, Linux, and macOS systems, and whether incident response plans account for cross-network movement by physical media rather than network traffic alone.

Technical view

For SOC, detection engineering, and IR teams, the key validation point is whether activity can be correlated across hosts when removable media is the transport path. ATT&CK provides no official detection text, but the related detection strategy is DET0090, Cross-host C2 via Removable Media Relay. Teams should focus on evidence of removable media insertion, file staging, file transfer timing, and execution or access patterns on both an Internet-connected compromised host and a disconnected or segmented compromised host.

Likely telemetry

Removable media insertion, mount, and device identifier events on Linux, macOS, and Windows endpoints
File creation, modification, deletion, and access events on removable volumes
Process execution from removable media or processes reading from/writing to removable media
Endpoint security alerts or audit logs from both connected and disconnected systems
File metadata useful for correlation, such as timestamps, names, paths, hashes, and volume identifiers

Detection direction

Validate whether DET0090-style cross-host correlation is possible rather than relying only on single-host alerts.
Tune for sequences where similar files, commands, archives, or staging patterns appear on removable media and then on another host within a plausible transfer window.
Account for benign removable media workflows, such as approved administrative transfer, patching, backup, or data export processes, to reduce false positives.
Prioritize monitoring on systems that are intentionally disconnected or segmented, because ordinary network C2 detections may not observe this behavior.
Review whether endpoint logging persists when systems are offline and whether logs are collected after reconnection or through offline IR procedures.

Mitigation priorities

Start with policy and operating system configuration controls for removable media use, aligned to M1028 Operating System Configuration.
Disable or remove unnecessary features or programs that enable unneeded removable media functionality where business operations allow, aligned to M1042 Disable or Remove Feature or Program.
Define approved removable media workflows, ownership, and audit requirements for sensitive or segmented environments.
Harden endpoints so removable media activity is logged and reviewable across Windows, Linux, and macOS where those platforms are in scope.
Ensure incident response playbooks include collection and preservation of removable media artifacts, host logs, and cross-host timeline evidence.

Analyst notes and limits

ATT&CK links this technique to APT28 and to CHOPSTICK and USBStealer software, with USBStealer described as malware used to extract information from air-gapped networks. These relationships support using the technique as a planning case for removable-media relay risk, not as evidence of current activity in any specific environment.

The ATT&CK object does not provide official detection guidance. Local conclusions require environment-specific evidence about removable media policy, endpoint logging, isolated-network operations, and whether the related platforms are present.

Official MITRE ATT&CK definition

Communication Through Removable Media

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.[1] Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

S0023: CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.

WindowsLinux

S0136: USBStealer

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

Windows

Relationship explorer

All related ATT&CK context

uses · Malware S0023: CHOPSTICK Enterprise detects · Detection Strategy DET0090: Cross-host C2 via Removable Media Relay Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise uses · Group G0007: APT28 Enterprise uses · Malware S0136: USBStealer Enterprise

Mitigations

Mitigation direction

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 31, 2017, 21:31 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: cc6fd45c6b538435...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`cc6fd45c6b53…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET Sednit USBStealer 2014

Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
Open source URL
[2]
mitre-attack T1092
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams