MITRE ATT&CK Technique
Lateral Movement T1091
Description

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled).

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:31:08.977Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may move onto systems, possibly those on '
                'disconnected or air-gapped networks, by copying malware to '
                'removable media and taking advantage of Autorun features when '
                'the media is inserted into a system and executes. In the case '
                'of Lateral Movement, this may occur through modification of '
                'executable files stored on removable media or by copying '
                'malware and renaming it to look like a legitimate file to '
                'trick users into executing it on a separate system. In the '
                'case of Initial Access, this may occur through manual '
                'manipulation of the media, modification of systems used to '
                "initially format the media, or modification to the media's "
                'firmware itself.\n'
                '\n'
                'Mobile devices may also be used to infect PCs with malware if '
                'connected via USB.(Citation: Exploiting Smartphone USB ) This '
                'infection may be achieved using devices (Android, iOS, etc.) '
                'and, in some instances, USB charging cables.(Citation: '
                'Windows Malware Infecting Android)(Citation: iPhone Charging '
                'Cable Hack) For example, when a smartphone is connected to a '
                'system, it may appear to be mounted similar to a '
                'USB-connected disk drive. If malware that is compatible with '
                'the connected system is on the mobile device, the malware '
                'could infect the machine (especially if Autorun features are '
                'enabled).',
 'external_references': [{'external_id': 'T1091',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1091'},
                         {'description': 'Lucian Constantin. (2014, January '
                                         '23). Windows malware tries to infect '
                                         'Android devices connected to PCs. '
                                         'Retrieved May 25, 2022.',
                          'source_name': 'Windows Malware Infecting Android',
                          'url': 'https://www.computerworld.com/article/2486903/windows-malware-tries-to-infect-android-devices-connected-to-pcs.html'},
                         {'description': 'Zack Whittaker. (2019, August 12). '
                                         'This hacker’s iPhone charging cable '
                                         'can hijack your computer. Retrieved '
                                         'May 25, 2022.',
                          'source_name': 'iPhone Charging Cable Hack',
                          'url': 'https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/'},
                         {'description': 'Zhaohui Wang & Angelos Stavrou. '
                                         '(n.d.). Exploiting Smart-Phone USB '
                                         'Connectivity For Fun And Profit. '
                                         'Retrieved May 25, 2022.',
                          'source_name': 'Exploiting Smartphone USB ',
                          'url': 'https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.226.3427&rep=rep1&type=pdf'}],
 'id': 'attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'lateral-movement'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'initial-access'}],
 'modified': '2025-10-24T17:48:40.752Z',
 'name': 'Replication Through Removable Media',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Joas Antonio dos Santos, @C0d3Cr4zy'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (10)
coinbasecartel
High
Mustang Panda
High
Tropic Trooper
High
Gamaredon Group
High
LuminousMoth
High
View All 10 Actors
Back to TTPs
Dashboard About