{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/removable-media/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["initial-access","removable-media","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential initial access attempts where adversaries use removable media, such as USB drives, to introduce malware into systems, potentially those on disconnected or air-gapped networks. The attack relies on copying malware to the removable media and taking advantage of Autorun or user execution to initiate the malicious process. The rule focuses on identifying suspicious process executions from USB devices lacking valid code signatures, followed by network connection attempts, indicating a potential attempt to establish command and control or exfiltrate data. This activity is significant as it can bypass traditional network security measures and establish a foothold within an organization\u0026rsquo;s environment. The detection logic is based on Elastic Defend telemetry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker copies malware onto a USB drive from an infected system.\u003c/li\u003e\n\u003cli\u003eThe attacker physically inserts the USB drive into a target Windows system.\u003c/li\u003e\n\u003cli\u003eThe user, either unknowingly or through social engineering, executes the malicious binary from the USB drive. This could be achieved through Autorun features (if enabled) or by manually clicking on an executable file.\u003c/li\u003e\n\u003cli\u003eThe executed process, now running on the target system, lacks a valid code signature, raising suspicion.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to establish a network connection, potentially to a command and control server or to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe network connection attempt is logged, capturing details about the destination IP address and port.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can potentially perform reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, system compromise, and potential lateral movement within the network. Although the risk score is low, such attacks on air-gapped systems are high impact. The number of victims is unknown; however, organizations across all sectors are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation and network connection logging to detect this type of activity (logs-endpoint.events.process-* and logs-endpoint.events.network-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution from a Removable Media with Network Connection\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDisable Autorun features on all systems to prevent automatic execution of programs from removable media.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-removable-media-execution/","summary":"Detects process execution from removable media by an unusual process with untrusted code signature followed by network connection attempts, potentially indicating malware introduced via removable media for initial access.","title":"Execution from Removable Media with Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-removable-media-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Removable-Media","version":"https://jsonfeed.org/version/1.1"}