1. Home
  2. Data Components
  3. Drive Access

Drive Access

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

  • Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
  • Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
  • External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
  • System Volume Access: The system volume C:\ is accessed for modifications to critical files.
  • Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

This data component can be collected through the following measures:

Windows Event Logs
- Relevant Events:
- Event ID 4663: Logs access to file or folder objects.
- Event ID 4656: Tracks a handle to an object like a drive or file.
- Configuration:
- Enable auditing for "Object Access" in Local Security Policy.
- Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access

Linux System Logs

  • Command-Line Monitoring: Use the dmesg or journalctl command to monitor drive mount/unmount events.
  • Auditd Configuration: Add an audit rule for drive access: auditctl -w /mnt/drive -p rwxa -k drive_access
  • Review logs via /var/log/audit/audit.log.

macOS System Logs

  • Command-Line Monitoring: Use diskutil list or fs_usage to monitor drive access and mount points.
  • Unified Logs: Query unified logs using log show for drive-related activities: log show --info | grep "mount"

Endpoint Detection and Response (EDR) Tools

  • Use EDR solutions to monitor drive activities and collect detailed forensic data.

SIEM Tools

  • Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.
ID: DC0054
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:SYSCALL open/write syscalls on /dev/sd* or /dev/nvme*
auditd:SYSCALL write syscalls to /dev/sd* targeting offset 0
auditd:SYSCALL open/write syscalls to block devices (/dev/sd*, /dev/nvme*)
fs:fsusage open/read/mount operations
linux:osquery hardware_events
linux:syslog mount/umount or file copy logs
macos:osquery usb_devices
WinEventLog:Sysmon EventCode=9

Detection Strategy

ID Name Technique Detected
DET0410 Detection Strategy for Data from Network Shared Drive T1039
DET0316 Detection Strategy for Disk Content Wipe via Direct Access and Overwrite T1561.001
DET0297 Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite T1561.002
DET0137 Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands T1561
DET0150 Detection Strategy for File Creation or Modification of Boot Files T1542.003
DET0278 Detection Strategy for T1542 Pre-OS Boot T1542
DET0099 Detection Strategy for T1542.001 Pre-OS Boot: System Firmware T1542.001
DET0491 Peripheral Device Enumeration via System Utilities and API Calls T1120