The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
E:\ on a Windows machine.\\server\share is mapped to the drive Z:\./mnt/virtualdrive using an ISO image or a virtual hard disk (VHD).G:\ on a Windows machine using a cloud sync tool./mnt/external on a Linux system..| Name | Channel |
|---|---|
| auditd:SYSCALL | mknod,open,openat |
| auditd:SYSCALL | Removable media mount notification |
| auditd:SYSCALL | device event logs |
| auditd:SYSCALL | udev events or drive enumeration involving TinyPilot paths or device classes |
| auditd:SYSCALL | Kernel Device Events - USB Block Devices |
| Drive | None |
| journald:systemd | udisks2 or udevd logs |
| linux:osquery | mount_events |
| linux:syslog | Device attach logs containing TinyPilot/PiKVM identifiers |
| linux:syslog | New HID device enumeration with type 'keyboard' followed by immediate input injection |
| macos:unifiedlog | mounted|appeared|DA: disk* attached |
| macos:unifiedlog | com.apple.diskarbitration |
| macos:unifiedlog | Volume Mount + File Read |
| macos:unifiedlog | Hardware enumeration events via IOKit or USBMuxd showing TinyPilot or unknown keyboard/mouse |
| macos:unifiedlog | Volume Mount + Process Trace + File Read |
| macos:unifiedlog | log stream --predicate 'eventMessage contains "USBMSC"' |
| macos:unifiedlog | New IOUSB keyboard/HID device enumerated with suspicious attributes |
| maos:osquery | mount_events |
| WinEventLog:System | Kernel-PnP 410/400 device install, disk added |
| WinEventLog:System | EventCode=1006 |
| WinEventLog:System | EventCode=1006, 10001 |
| WinEventLog:System | EventCode=2003 |