# Portable Media
### **Understanding the Attack**
**Definition**
A portable media attack involves distributing malicious files via removable media devices. The victim is deceived into executing the file, which then performs harmful actions on their system. In Lucy's context, success is measured by retrieving the executed data from the victim's computer.
***
### **Checklist**
* [x] [Register an Attack Domain](https://wiki.lucysecurity.com/application-reference/settings/common-system-settings/domains#register-a-domain-via-the-domain-registration-wizard)
* [x] [Add a Portable Media Attack to your Campaign](https://wiki.lucysecurity.com/application-reference/campaigns/campaign-settings/main-settings/attack-simulation)
* [x] [Ensure the success action is File Data Received](https://wiki.lucysecurity.com/application-reference/campaigns/campaign-settings/main-settings/attack-simulation#success-action)
* [x] [Ensure the File is excluded from Anti-Virus scanning in your infrastructure](https://wiki.lucysecurity.com/guides/whitelisting-a-lucy-server/file-attack-whitelisting)
***
### **Real-world Examples**
* **USB Stick in Public Places:** A USB stick labeled "Confidential - Company Financials" is left in a company parking lot. An employee finds it and inserts it into their computer out of curiosity, executing the malicious file.
* **CD with Company Branding:** A CD labeled "Employee Benefits Overview" is mailed to employees. When they insert the CD and open the file, it executes malicious code.
* **Infected SD Cards:** An SD card labeled "Project Files" is distributed at a conference. Attendees insert the card into their computers to access the files, unknowingly executing the malicious software.
***
### Configuration
**Create a New Campaign:**
* Navigate to the Campaigns Dashboard and select the "New Campaign" button. Choose the "Attack Simulation" campaign type.
#### **Choose Attack Type:**
* Select -> **Skip Wizard and enable expert setup**
#### Give the scenario a name and client:
#### Navigate to Attack Settings and select New Scenario:
**Select the Portable Media Attack Template:**
* Select the "Portable Media Attack" scenario and click "Use template".
{% hint style="info" %}
If it's not available, download it by first navigating to **Templates ->** [**Download Templates**](https://wiki.lucysecurity.com/application-reference/templates/download-templates) and searching for "**Portable Media Attack**".
{% endhint %}
**Give the Scenario a Name and Pick a Domain:**
* Specify the domain or IP used upon execution. The malware simulation will send data back to this host.
* Specify what constitutes a successful attack, by default this will be set to "Data Submit" and click "Save"
**Add your Portable Media recipient group:**
{% hint style="info" %}
Portable Media recipients are automatically generated by the system to track each file created for a portable media device and do not use company email addresses.
{% endhint %}
* Navigate to **Configuration -> Recipients -> "Add Group"**
* Add your Portable Media recipient group:
I received an error "Incompatible recipient group type"
This error occurs when you select a recipient group that is not optimized for a Portable Media Attack.
**Solution:**
Navigate to **Users -> Recipient Groups -> Select "New Group"**
Enter the group name, and associated client:
Ensure to enable the check box for "**Portable Media Attack**" and specify the number of items you will be loading the files on.
**Download Files:**
* Navigate to **Results -> Summary -> Select "Download Files"**
{% hint style="info" %}
To address the dynamic nature of payload creation, note that these file-based attack files are not signed by code signing certificates and may trigger antivirus alerts. To mitigate this, ensure to whitelist these files by their path for testing purposes. Additionally, update the Group Policy Object to apply these changes for the company-wide simulation.
\
Please refer to our guide on [**File Attack Whitelisting**](https://wiki.lucysecurity.com/guides/whitelisting-a-lucy-server/file-attack-whitelisting)
{% endhint %}
#### Upload Files to Portable Media:
* Once these files are downloaded, they can be extracted from their zip file.
* Place each file on an individual Portable Media device.
* Distribute these Portable Media devices among your organization.
#### Start Campaign:
* Start the campaign and wait for the configuration checks to complete
* When the campaign starts, LUCY will wait for incoming requests from the executed files.
***
### Payload Execution Process
The Portable Media attack uses a Console Post to run `ipconfig` and `whoami` commands. It aims to find users accessing unknown media and executing the payload, likely named "Yearly Bonus Report."
{% hint style="warning" %}
Portable Media Attacks are not classified as Keyloggers and will not run automatically.
{% endhint %}
#### Payload Data Received
After a user has successfully executed the file, Lucy will capture the output data and display a success metric on the Summary Dashboard:
* To observe the output from the file execution, navigate to **Results -> Statistics -> Collected Data**
* Click the **"command\_line\_output.txt"** to view the output data
#### Example Output:
```bash
[ipconfig]
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 10.0.0.25
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.2
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
[whoami]
visvang\nick
```
***
