Drive

A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]

ID: DS0016
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 18 April 2025

Data Components

Drive: Drive Access

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

  • Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
  • Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
  • External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
  • System Volume Access: The system volume C:\ is accessed for modifications to critical files.
  • Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

This data component can be collected through the following measures:

Windows Event Logs- Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file.- Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access

Linux System Logs

  • Command-Line Monitoring: Use the dmesg or journalctl command to monitor drive mount/unmount events.
  • Auditd Configuration: Add an audit rule for drive access: auditctl -w /mnt/drive -p rwxa -k drive_access
  • Review logs via /var/log/audit/audit.log.

macOS System Logs

  • Command-Line Monitoring: Use diskutil list or fs_usage to monitor drive access and mount points.
  • Unified Logs: Query unified logs using log show for drive-related activities: log show --info | grep "mount"

Endpoint Detection and Response (EDR) Tools

  • Use EDR solutions to monitor drive activities and collect detailed forensic data.

SIEM Tools

  • Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.

Drive: Drive Access

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

  • Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
  • Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
  • External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
  • System Volume Access: The system volume C:\ is accessed for modifications to critical files.
  • Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

This data component can be collected through the following measures:

Windows Event Logs- Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file.- Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access

Linux System Logs

  • Command-Line Monitoring: Use the dmesg or journalctl command to monitor drive mount/unmount events.
  • Auditd Configuration: Add an audit rule for drive access: auditctl -w /mnt/drive -p rwxa -k drive_access
  • Review logs via /var/log/audit/audit.log.

macOS System Logs

  • Command-Line Monitoring: Use diskutil list or fs_usage to monitor drive access and mount points.
  • Unified Logs: Query unified logs using log show for drive-related activities: log show --info | grep "mount"

Endpoint Detection and Response (EDR) Tools

  • Use EDR solutions to monitor drive activities and collect detailed forensic data.

SIEM Tools

  • Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.
Domain ID Name Detects
Enterprise T1092 Communication Through Removable Media

Monitor for unexpected file access on removable media

Enterprise T1006 Direct Volume Access

Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2]

Enterprise T1561 Disk Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.001 Disk Content Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.002 Disk Structure Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

Drive: Drive Creation

The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:

  • USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter E:\ on a Windows machine.
  • Network Drive Mapping: A network share \\server\share is mapped to the drive Z:\.
  • Virtual Drive Creation: A virtual disk is mounted on /mnt/virtualdrive using an ISO image or a virtual hard disk (VHD).
  • Cloud Storage Mounting: Google Drive is mounted as G:\ on a Windows machine using a cloud sync tool.
  • External Storage Integration: An external HDD or SSD is connected and assigned /mnt/external on a Linux system.

This data component can be collected through the following measures:

Windows Event Logs

  • Relevant Events:
    • Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
    • Event ID 1006: Logs removable storage device insertions.
  • Configuration: Enable "Removable Storage Events" in the Group Policy settings:Computer Configuration > Administrative Templates > System > Removable Storage Access

Linux System Logs

  • Command-Line Monitoring: Use dmesg or journalctl to monitor mount events.

  • Auditd Configuration: Add audit rules to track mount points.

  • Logs can be reviewed in /var/log/audit/audit.log.

macOS System Logs

  • Unified Logs: Monitor system logs for mount activity:
  • Command-Line Tools: Use diskutil list to verify newly created or mounted drives.

Endpoint Detection and Response (EDR) Tools

  • EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.

SIEM Tools

  • Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.

Drive: Drive Creation

The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:

  • USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter E:\ on a Windows machine.
  • Network Drive Mapping: A network share \\server\share is mapped to the drive Z:\.
  • Virtual Drive Creation: A virtual disk is mounted on /mnt/virtualdrive using an ISO image or a virtual hard disk (VHD).
  • Cloud Storage Mounting: Google Drive is mounted as G:\ on a Windows machine using a cloud sync tool.
  • External Storage Integration: An external HDD or SSD is connected and assigned /mnt/external on a Linux system.

This data component can be collected through the following measures:

Windows Event Logs

  • Relevant Events:
    • Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
    • Event ID 1006: Logs removable storage device insertions.
  • Configuration: Enable "Removable Storage Events" in the Group Policy settings:Computer Configuration > Administrative Templates > System > Removable Storage Access

Linux System Logs

  • Command-Line Monitoring: Use dmesg or journalctl to monitor mount events.

  • Auditd Configuration: Add audit rules to track mount points.

  • Logs can be reviewed in /var/log/audit/audit.log.

macOS System Logs

  • Unified Logs: Monitor system logs for mount activity:
  • Command-Line Tools: Use diskutil list to verify newly created or mounted drives.

Endpoint Detection and Response (EDR) Tools

  • EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.

SIEM Tools

  • Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.
Domain ID Name Detects
ICS T0895 Autorun Image

Monitor for newly constructed drive letters or mount points to removable media.

Enterprise T1092 Communication Through Removable Media

Monitor for newly executed processes when removable media is mounted.

Enterprise T1052 Exfiltration Over Physical Medium

Detection of newly mounted USB or external drives, unusual storage devices connected to a system (e.g., large capacity, high-speed), or frequent device mount/unmount activity indicative of exfiltration attempts.

Analytic 1 - Detecting New External Drive Mounting Events

(EventCode=6 OR EventCode=4663 OR source="/var/log/syslog" "usb-storage added" OR source="com.apple.DiskArbitration")| where (device_type IN ("USB", "Removable Storage"))| stats count by _time, host, user, device_name, device_type| eval risk_score=case( device_type="USB", 9, device_type="Removable Storage", 8)| where risk_score >= 8| table host, user, device_name, device_type, risk_score

.001 Exfiltration over USB

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device.

Analytic 1 - Detecting New USB Drive Mounting Events

(EventCode=6 OR EventCode=4663 OR source="/var/log/syslog" "usb-storage added" OR source="com.apple.DiskArbitration")| where (device_type IN ("USB", "Removable Storage"))| stats count by _time, host, user, device_name, device_type| eval risk_score=case( device_type="USB", 9, device_type="Removable Storage", 8)| where risk_score >= 8| table host, user, device_name, device_type, risk_score

Enterprise T1200 Hardware Additions

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.

Analytic 1 - Detecting Unauthorized External Drives

(EventCode=4663 OR EventCode=11)OR (source="/var/log/messages" OR source="/var/log/syslog" "block device added")OR (source="macOS_logs" Event="com.apple.diskarbitrationd")| eval risk_score=case( like(DeviceName, "%Kingston%"), 7, like(DeviceName, "%SanDisk%"), 6, like(DeviceName, "%Unknown%"), 9)| where risk_score >= 7| stats count by _time, host, DeviceName, user, risk_score

Enterprise T1674 Input Injection

Monitor for newly executed processes when removable media is mounted. Additionally, monitor for unexpected or rapid USB HID enumeration events (e.g., a USB HID device connecting and immediately issuing keystrokes) or anomalies (e.g., a device claiming to be a keyboard but has a suspicious vendor ID) that could indicate a possible rogue device. Tools like Windows Event Logs (e.g., event IDs 20001 - 20003), sysfs on Linux (e.g., /sys/bus/usb/devices/), and macOS IORegistry (e.g., ioreg -p IOUSB) can provide insight into input devices.

Additionally, consider leveraging keyboard hook APIs to monitor for keystrokes that are too fast and too uniform (e.g., a script executing keystrokes with no human variation or that are too precise).

Analytic 1 Detect HID like Device Injection

index=wineventlog sourcetype="WinEventLog:System" EventCode=400 OR EventCode=20001| eval usb_device=coalesce(UsbDevice, DeviceName)| search usb_device="keyboard" OR usb_device="HID"| transaction usb_device maxspan=30s| join usb_device [ search index=main sourcetype="WinEventLog:Security" (EventCode=4688 OR EventCode=4104) | stats count by usb_device, _time, CommandLine, ParentProcessName, NewProcessName ]| where count > 0| table _time, usb_device, NewProcessName, CommandLine, ParentProcessName

Enterprise T1219 Remote Access Tools

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports.

.003 Remote Access Hardware

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. For example, by default TinyPilot declares its manufacturer name as tinypilot and its serial number as 6b65796d696d6570690 within the /opt/tinypilot-privileged/init-usb-gadget directory. It also announces itself as TinyPilot within its EDID (Extended Display Identification Data).[3]

Analytic 1 - USB Device Enumeration

(sourcetype="WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational" OR sourcetype="syslog")(EventCode=2003 OR EventCode=2100 OR message="tinypilot" OR message="TinyPilot")| eval timestamp=_time| table timestamp, host, user, DeviceClass, FriendlyName, VendorID, ProductID, SerialNumber| sort by timestamp desc

Enterprise T1091 Replication Through Removable Media

Monitor for newly constructed drive letters or mount points to removable media

Analytic 1 - Removable Media Mount Events

index=windows sourcetype="WinEventLog:Microsoft-Windows-Partition/Operational" EventID=1006| stats count by DeviceName, VolumeName, EventID, ComputerName, _time| where count > 1| table _time, DeviceName, VolumeName, ComputerName

ICS T0847 Replication Through Removable Media

Monitor for newly constructed drive letters or mount points to removable media.

Drive: Drive Modification

The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:

  • Drive Letter Reassignment: A USB drive previously assigned E:\ is reassigned to D:\ on a Windows machine.
  • Mount Point Change: On a Linux system, a mounted storage device at /mnt/external is moved to /mnt/storage.
  • Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
  • Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
  • Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.

This data component can be collected through the following measures:

Windows Event Logs

  • Relevant Events:
    • Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
    • Event ID 1006: Logs permission modifications or changes to removable storage.
  • Configuration: Enable "Storage Operational Logs" in the Event Viewer:Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational

Linux System Logs

  • Auditd Configuration: Add audit rules to track changes to mounted drives: auditctl -w /mnt/ -p w -k drive_modification
  • Command-Line Monitoring: Use dmesg or journalctl to observe drive modifications.

macOS System Logs

  • Unified Logs: Collect mount or drive modification events: log show --info | grep "Volume modified"
  • Command-Line Monitoring: Use diskutil to track changes:

Endpoint Detection and Response (EDR) Tools

  • Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.

SIEM Tools

  • Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.

Drive: Drive Modification

The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:

  • Drive Letter Reassignment: A USB drive previously assigned E:\ is reassigned to D:\ on a Windows machine.
  • Mount Point Change: On a Linux system, a mounted storage device at /mnt/external is moved to /mnt/storage.
  • Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
  • Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
  • Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.

This data component can be collected through the following measures:

Windows Event Logs

  • Relevant Events:
    • Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
    • Event ID 1006: Logs permission modifications or changes to removable storage.
  • Configuration: Enable "Storage Operational Logs" in the Event Viewer:Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational

Linux System Logs

  • Auditd Configuration: Add audit rules to track changes to mounted drives: auditctl -w /mnt/ -p w -k drive_modification
  • Command-Line Monitoring: Use dmesg or journalctl to observe drive modifications.

macOS System Logs

  • Unified Logs: Collect mount or drive modification events: log show --info | grep "Volume modified"
  • Command-Line Monitoring: Use diskutil to track changes:

Endpoint Detection and Response (EDR) Tools

  • Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.

SIEM Tools

  • Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.
Domain ID Name Detects
Enterprise T1561 Disk Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.001 Disk Content Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.002 Disk Structure Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

Enterprise T1542 Pre-OS Boot

Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples.

.003 Bootkit

On BIOS boot systems, monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples.

Enterprise T1014 Rootkit

Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

References