- Tactics
- Command and Control
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1092
Description
Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Command and Control tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1001 - Data Obfuscation
- T1008 - Fallback Channels
- T1071 - Application Layer Protocol
- T1090 - Proxy
- T1095 - Non-Application Layer Protocol
- T1102 - Web Service
- T1104 - Multi-Stage Channels
- T1105 - Ingress Tool Transfer
- T1132 - Data Encoding
- T1205 - Traffic Signaling
- T1219 - Remote Access Tools
- T1568 - Dynamic Resolution