A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]
Opening of a data storage device with an assigned drive letter or mount point
Opening of a data storage device with an assigned drive letter or mount point
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1092 | Communication Through Removable Media |
Monitor for unexpected file access on removable media |
|
| Enterprise | T1006 | Direct Volume Access |
Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2] |
|
| Enterprise | T1561 | Disk Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
| .001 | Disk Content Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| .002 | Disk Structure Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
Initial construction of a drive letter or mount point to a data storage device
Initial construction of a drive letter or mount point to a data storage device
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0895 | Autorun Image |
Monitor for newly constructed drive letters or mount points to removable media. |
|
| Enterprise | T1092 | Communication Through Removable Media |
Monitor for newly executed processes when removable media is mounted. |
|
| Enterprise | T1052 | Exfiltration Over Physical Medium |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data via a physical medium, such as a removable drive. |
|
| .001 | Exfiltration over USB |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device. |
||
| Enterprise | T1200 | Hardware Additions |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports. |
|
| Enterprise | T1091 | Replication Through Removable Media |
Monitor for newly constructed drive letters or mount points to removable media |
|
| ICS | T0847 | Replication Through Removable Media |
Monitor for newly constructed drive letters or mount points to removable media. |
|
Changes made to a drive letter or mount point of a data storage device
Changes made to a drive letter or mount point of a data storage device
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1561 | Disk Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
| .001 | Disk Content Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| .002 | Disk Structure Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| Enterprise | T1542 | Pre-OS Boot |
Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
|
| .003 | Bootkit |
Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
||
| Enterprise | T1014 | Rootkit |
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. |
|