Drive Access

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
System Volume Access: The system volume C:\ is accessed for modifications to critical files.
Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

ID: DC0054

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
auditd:SYSCALL	open/write syscalls on /dev/sd* or /dev/nvme*
auditd:SYSCALL	write syscalls to /dev/sd* targeting offset 0
auditd:SYSCALL	open/write syscalls to block devices (/dev/sd, /dev/nvme)
fs:fsusage	open/read/mount operations
linux:osquery	hardware_events
linux:syslog	mount/umount or file copy logs
macos:osquery	usb_devices
WinEventLog:Sysmon	EventCode=9

Detection Strategy

ID	Name	Technique Detected
DET0410	Detection Strategy for Data from Network Shared Drive	T1039
DET0316	Detection Strategy for Disk Content Wipe via Direct Access and Overwrite	T1561.001
DET0297	Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite	T1561.002
DET0137	Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands	T1561
DET0150	Detection Strategy for File Creation or Modification of Boot Files	T1542.003
DET0278	Detection Strategy for T1542 Pre-OS Boot	T1542
DET0099	Detection Strategy for T1542.001 Pre-OS Boot: System Firmware	T1542.001
DET0491	Peripheral Device Enumeration via System Utilities and API Calls	T1120