
Raspberry Robin Global USB Malware Campaign
The Raspberry Robin malware campaign has been spreading around the world since it first surfaced in late 2021. "Raspberry Robin" is the name of a set of events from Red Canary that we first observed in September 2021, which often includes a worm installed via a USB drive.
Indicators of Compromise
Domains (589)
config.targetn.config.delay.showe.element.styleloader.showr.showconstructor.datautils.tostring.calldata.processing.idi.tot.prototype.hasownproperty.callyiwei.funthis.merchantdialog.namefigure.modal.button.saveo.tostring.calle.event.targete.fn.tabi.showce.element.styleerror.prototype.tostring.callslice.call+569 moreHashes (4629)
0b03c43fe180138cf63cec1df9de01dd576c4dc422aa6a954d6cc074e6ae159766c2e94d0b08b6cef6c635ea65c585bb4798b5764fafcbd5009694e420fe85fa39c6c3f85fbb6c3ef871f6e9e1a232453742e475ccdc3f83d847daf09e6c10be46b63b2e77329d82a96dfd81ec55c3e2ad8c4cef210d6d3dcdd7518f54aebe7f5606a6cd2efd73c7c3a0451de763a434504923defbcccb834304d40e39529eaa1b5d296ea519e9a51d7cc024666f6ca60301db47242b8693682eac8129a973f2f60fa6162da702d4e66e58ca384b0f15cc7eccbf2924c5035d3a93b9e6bf1b38f9d4b2a2aeb00dc4c12dd22eff26c318665687b4653fe8269d39d8784224c05eb24238e24a124eecee907cecac25d77a2091a5665d37b0a91be9b154ff61c16b35b5575c907ef4e6d8bbcc23e4eb1a831a8cc7402c8e0a898effd3fb966a9ee1a22bce9ddc3e44e574fe8c5e698a7561a95f9cdb96cfe1e715ba4899c5eb3088781f4496697e2e1f4e597954835430ea7e43a3a9b4ed3820c91d74c6b128c00d0f0ba267f97c101fdc89fc66816258f1078db073259af3d431e72d4f35befe3aef681fb140dd80d853ac5b29e064f5960df12a3855469eaf5f68583a3afa7e1fa99806f2a486eb1dd0ae6226280fb3b7d460bbd6+4609 moreIPv4 (290)
92.118.36.2135.188.206.76193.161.193.9934.174.95.150172.104.114.3051.195.68.217109.248.11.24079.141.165.41211.238.138.6847.244.227.8495.181.163.37222.66.8.7646.105.251.4245.9.20.10166.206.18.186180.166.27.217172.104.87.6477.232.38.15647.91.206.33185.236.78.217+270 moreCVEs (33)
CVE-2022-3786CVE-2022-3602CVE-2023-27351CVE-2023-27350CVE-2016-0040CVE-2015-2546CVE-2021-28310CVE-2019-1069CVE-2021-22005CVE-2017-0199CVE-2020-0787CVE-2022-41107CVE-2019-0859CVE-2019-1132CVE-2015-1701CVE-2017-7269CVE-2018-8641CVE-2017-11882CVE-2016-7255CVE-2017-0001+13 moreAPT Groups
TA505
Russian Federation
Turla Group
China
Evil Corp
Silence group
Notes
<br>
Mitigation
<b><font>Replication Through Removable Media</font></b><div><font><div style=""><font>Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.</font></div><div style=""><font><br></font></div><div style=""><font>Mobile devices may also be used to infect PCs with malware if connected via USB.[1] This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.[2][3] For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).</font></div><div style=""><b style="color: var(--q-dark);"><font>Procedure Examples</font></b><br></div><div style=""><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626">ID</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626">Name</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626">Description</font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0092" style="box-sizing: border-box; background-color: transparent;"><font color="#262626" style="">S0092</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0092" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Agent.btz</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0092" style="box-sizing: border-box; background-color: transparent;">Agent.btz</a> drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" target="_blank" style="box-sizing: border-box; background-color: transparent;">[4]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1007" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G1007</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1007" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Aoqin Dragon</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1007" style="box-sizing: border-box; background-color: transparent;">Aoqin Dragon</a> has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.<span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[5]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0007" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G0007</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0007" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">APT28</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0007" style="box-sizing: border-box; background-color: transparent;">APT28</a> uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[6]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0023" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0023</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0023" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">CHOPSTICK</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626">Part of <a href="https://attack.mitre.org/groups/G0007" style="box-sizing: border-box; background-color: transparent;">APT28</a>'s operation involved using <a href="https://attack.mitre.org/software/S0023" style="box-sizing: border-box; background-color: transparent;">CHOPSTICK</a> modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.<span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[7]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[6]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" style="box-sizing: border-box; background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0608" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0608</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0608" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Conficker</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0608" style="box-sizing: border-box; background-color: transparent;">Conficker</a> variants used the Windows AUTORUN feature to spread through USB propagation.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" target="_blank" style="box-sizing: border-box; background-color: transparent;">[9]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/conficker" target="_blank" style="box-sizing: border-box; background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0115" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0115</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0115" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Crimson</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0115" style="box-sizing: border-box; background-color: transparent;">Crimson</a> can spread across systems by infecting removable media.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[11]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0012" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G0012</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0012" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Darkhotel</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0012" style="box-sizing: border-box; background-color: transparent;">Darkhotel</a>'s selective infector modifies executables stored on removable media as a method of spreading across computers.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0062" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0062</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0062" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">DustySky</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0062" style="box-sizing: border-box; background-color: transparent;">DustySky</a> searches for removable media and duplicates itself onto it.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[13]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0046" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G0046</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0046" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">FIN7</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0046" style="box-sizing: border-box; background-color: transparent;">FIN7</a> actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[14]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0143" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0143</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0143" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Flame</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0143" style="box-sizing: border-box; background-color: transparent;">Flame</a> contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/the-flame-questions-and-answers-51/34344/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[15]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0132" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0132</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0132" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">H1N1</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0132" style="box-sizing: border-box; background-color: transparent;">H1N1</a> has functionality to copy itself to removable media.<span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank" style="box-sizing: border-box; background-color: transparent;">[16]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1014" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G1014</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1014" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">LuminousMoth</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1014" style="box-sizing: border-box; background-color: transparent;">LuminousMoth</a> has used malicious DLLs to spread malware to connected removable USB drives on infected machines.<span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[17]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank" style="box-sizing: border-box; background-color: transparent;">[18]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0129" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G0129</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0129" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Mustang Panda</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0129" style="box-sizing: border-box; background-color: transparent;">Mustang Panda</a> has used a customized <a href="https://attack.mitre.org/software/S0013" style="box-sizing: border-box; background-color: transparent;">PlugX</a> variant which could spread through USB connections.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" style="box-sizing: border-box; background-color: transparent;">[19]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0385" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0385</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0385" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">njRAT</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0385" style="box-sizing: border-box; background-color: transparent;">njRAT</a> can be configured to spread via removable drives.<span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[20]</a></span></span><span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[21]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0650" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0650</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0650" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">QakBot</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0650" style="box-sizing: border-box; background-color: transparent;">QakBot</a> has the ability to use removable drives to spread through compromised networks.<span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank" style="box-sizing: border-box; background-color: transparent;">[22]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0458" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0458</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0458" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Ramsay</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0458" style="box-sizing: border-box; background-color: transparent;">Ramsay</a> can spread itself by infecting other portable executable files on removable drives.<span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[23]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0028" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0028</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0028" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">SHIPSHAPE</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0013" style="box-sizing: border-box; background-color: transparent;">APT30</a> may have used the <a href="https://attack.mitre.org/software/S0028" style="box-sizing: border-box; background-color: transparent;">SHIPSHAPE</a> malware to move onto air-gapped networks. <a href="https://attack.mitre.org/software/S0028" style="box-sizing: border-box; background-color: transparent;">SHIPSHAPE</a> targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[24]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0603" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0603</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0603" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Stuxnet</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0603" style="box-sizing: border-box; background-color: transparent;">Stuxnet</a> can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.<span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[25]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0081" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">G0081</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0081" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Tropic Trooper</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G0081" style="box-sizing: border-box; background-color: transparent;">Tropic Trooper</a> has attempted to transfer <a href="https://attack.mitre.org/software/S0452" style="box-sizing: border-box; background-color: transparent;">USBferry</a> from an infected USB device by copying an Autorun function to the target machine.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[26]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0130" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0130</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0130" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Unknown Logger</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0130" style="box-sizing: border-box; background-color: transparent;">Unknown Logger</a> is capable of spreading to USB devices.<span id="scite-ref-27-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[27]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0386" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0386</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0386" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Ursnif</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0386" style="box-sizing: border-box; background-color: transparent;">Ursnif</a> has copied itself to and infected removable drives for propagation.<span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" style="box-sizing: border-box; background-color: transparent;">[28]</a></span></span><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[29]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0452" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0452</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0452" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">USBferry</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0452" style="box-sizing: border-box; background-color: transparent;">USBferry</a> can copy its installer to attached USB storage devices.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" style="box-sizing: border-box; background-color: transparent;">[26]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0136" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S0136</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0136" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">USBStealer</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/software/S0136" style="box-sizing: border-box; background-color: transparent;">USBStealer</a> drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.<span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[30]</a></span></span></font></p></td></tr></tbody></table><font><b style="">Mitigations</b></font><br></div><div style=""><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>ID</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Mitigation</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Description</font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1040" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M1040</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1040" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Behavior Prevention on Endpoint</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>On Windows 10, enable Attack Surface Reduction (ASR) rules to block unsigned/untrusted executable files (such as .exe, .dll, or .scr) from running from USB removable drives. <span id="scite-ref-31-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[31]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1042" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M1042</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1042" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Disable or Remove Feature or Program</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Disable Autorun if it is unnecessary. <span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://support.microsoft.com/en-us/kb/967715" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span> Disallow or restrict removable media at an organizational policy level if it is not required for business operations. <span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1034" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M1034</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1034" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Limit Hardware Installation</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Limit the use of USB devices and removable media within a network.</font></p></td></tr></tbody></table><div><b><font>Detection</font></b></div><div><table class="table datasources-table table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background: rgb(242, 242, 242); border-bottom: 1px solid rgb(223, 223, 223);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font style="">ID</font></th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; white-space: nowrap;"><font style="">Data Source</font></th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; white-space: nowrap;"><font style="">Data Component</font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font style="">Detects</font></th></tr></thead><tbody style="box-sizing: border-box;"><tr class="datasource" id="uses-DS0016" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0016</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Drive</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0016/#Drive%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Drive Creation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for newly constructed drive letters or mount points to removable media</font></p></td></tr><tr class="datasource" id="uses-DS0022" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0022</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Access" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File Access</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for unexpected files accessed on removable media.</font></p></td></tr><tr class="datacomponent datasource" id="uses-DS0022-File Creation" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File Creation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for newly constructed files on removable media</font></p></td></tr><tr class="datasource" id="uses-DS0009" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0009</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Process</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0009/#Process%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Process Creation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.</font></p></td></tr></tbody></table></div><div><br></div></div></font></div>