MITRE ATT&CK™ Analysis - T1091 Replication Through Removable Media

Replication Through Removable Media

Going to go out and quote MITRE here:

“Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.”

Replication Through Removable Media Analysis

Lab Example

RED TEAM: ATTACK

In the below example we have planted specialised “malware” on a victims machine (calc.exe); however, we want to move laterally to another less secure ‘airgapped’ machine. We setup a rough query process in the form of a PowerShell script which is continuously searching for a USB called “CyberRaiju”. This active PowerShell script can be seen through live triage by searching for the command line of the PowerShell script.

Upon inserting a USB with the name ‘CyberRaiju’ the PowerShell script copies the malware and an autorun file over to the USB before making these hidden and terminating the process.

The end result is that when this is plugged into their older, less secure environment the malware will trigger from the autoruns file and execute on the airgapped machine.

BLUE TEAM: DEFEND

In addition to the above Live Triage technique, this can be seen through Sysmon process create events.