A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]
Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\
, /mnt/drive
) or mount point. Examples:
F:\
, and files are accessed.\\server\share
is mapped to the drive Z:\
./mnt/backup
, and accessed for copying files.C:\
is accessed for modifications to critical files.This data component can be collected through the following measures:
Windows Event Logs- Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file.- Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Linux System Logs
dmesg
or journalctl
command to monitor drive mount/unmount events.auditctl -w /mnt/drive -p rwxa -k drive_access
/var/log/audit/audit.log
.macOS System Logs
diskutil list
or fs_usage
to monitor drive access and mount points.log show --info | grep "mount"
Endpoint Detection and Response (EDR) Tools
SIEM Tools
Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\
, /mnt/drive
) or mount point. Examples:
F:\
, and files are accessed.\\server\share
is mapped to the drive Z:\
./mnt/backup
, and accessed for copying files.C:\
is accessed for modifications to critical files.This data component can be collected through the following measures:
Windows Event Logs- Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file.- Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Linux System Logs
dmesg
or journalctl
command to monitor drive mount/unmount events.auditctl -w /mnt/drive -p rwxa -k drive_access
/var/log/audit/audit.log
.macOS System Logs
diskutil list
or fs_usage
to monitor drive access and mount points.log show --info | grep "mount"
Endpoint Detection and Response (EDR) Tools
SIEM Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1092 | Communication Through Removable Media |
Monitor for unexpected file access on removable media |
|
Enterprise | T1006 | Direct Volume Access |
Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2] |
|
Enterprise | T1561 | Disk Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
.001 | Disk Content Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
.002 | Disk Structure Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
E:\
on a Windows machine.\\server\share
is mapped to the drive Z:\
./mnt/virtualdrive
using an ISO image or a virtual hard disk (VHD).G:\
on a Windows machine using a cloud sync tool./mnt/external
on a Linux system.This data component can be collected through the following measures:
Windows Event Logs
Computer Configuration > Administrative Templates > System > Removable Storage Access
Linux System Logs
Command-Line Monitoring: Use dmesg
or journalctl
to monitor mount events.
Auditd Configuration: Add audit rules to track mount points.
macOS System Logs
diskutil list
to verify newly created or mounted drives.Endpoint Detection and Response (EDR) Tools
SIEM Tools
The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
E:\
on a Windows machine.\\server\share
is mapped to the drive Z:\
./mnt/virtualdrive
using an ISO image or a virtual hard disk (VHD).G:\
on a Windows machine using a cloud sync tool./mnt/external
on a Linux system.This data component can be collected through the following measures:
Windows Event Logs
Computer Configuration > Administrative Templates > System > Removable Storage Access
Linux System Logs
Command-Line Monitoring: Use dmesg
or journalctl
to monitor mount events.
Auditd Configuration: Add audit rules to track mount points.
macOS System Logs
diskutil list
to verify newly created or mounted drives.Endpoint Detection and Response (EDR) Tools
SIEM Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
ICS | T0895 | Autorun Image |
Monitor for newly constructed drive letters or mount points to removable media. |
|
Enterprise | T1092 | Communication Through Removable Media |
Monitor for newly executed processes when removable media is mounted. |
|
Enterprise | T1052 | Exfiltration Over Physical Medium |
Detection of newly mounted USB or external drives, unusual storage devices connected to a system (e.g., large capacity, high-speed), or frequent device mount/unmount activity indicative of exfiltration attempts. Analytic 1 - Detecting New External Drive Mounting Events
|
|
.001 | Exfiltration over USB |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device. Analytic 1 - Detecting New USB Drive Mounting Events
|
||
Enterprise | T1200 | Hardware Additions |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports. Analytic 1 - Detecting Unauthorized External Drives
|
|
Enterprise | T1674 | Input Injection |
Monitor for newly executed processes when removable media is mounted. Additionally, monitor for unexpected or rapid USB HID enumeration events (e.g., a USB HID device connecting and immediately issuing keystrokes) or anomalies (e.g., a device claiming to be a keyboard but has a suspicious vendor ID) that could indicate a possible rogue device. Tools like Windows Event Logs (e.g., event IDs 20001 - 20003), sysfs on Linux (e.g., Additionally, consider leveraging keyboard hook APIs to monitor for keystrokes that are too fast and too uniform (e.g., a script executing keystrokes with no human variation or that are too precise). Analytic 1 Detect HID like Device Injection
|
|
Enterprise | T1219 | Remote Access Tools |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. |
|
.003 | Remote Access Hardware |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. For example, by default TinyPilot declares its manufacturer name as Analytic 1 - USB Device Enumeration
|
||
Enterprise | T1091 | Replication Through Removable Media |
Monitor for newly constructed drive letters or mount points to removable media Analytic 1 - Removable Media Mount Events
|
|
ICS | T0847 | Replication Through Removable Media |
Monitor for newly constructed drive letters or mount points to removable media. |
The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:
E:\
is reassigned to D:\
on a Windows machine./mnt/external
is moved to /mnt/storage
.This data component can be collected through the following measures:
Windows Event Logs
Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational
Linux System Logs
auditctl -w /mnt/ -p w -k drive_modification
dmesg
or journalctl
to observe drive modifications.macOS System Logs
log show --info | grep "Volume modified"
diskutil
to track changes:Endpoint Detection and Response (EDR) Tools
SIEM Tools
The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:
E:\
is reassigned to D:\
on a Windows machine./mnt/external
is moved to /mnt/storage
.This data component can be collected through the following measures:
Windows Event Logs
Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational
Linux System Logs
auditctl -w /mnt/ -p w -k drive_modification
dmesg
or journalctl
to observe drive modifications.macOS System Logs
log show --info | grep "Volume modified"
diskutil
to track changes:Endpoint Detection and Response (EDR) Tools
SIEM Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1561 | Disk Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
.001 | Disk Content Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
.002 | Disk Structure Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
Enterprise | T1542 | Pre-OS Boot |
Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
|
.003 | Bootkit |
On BIOS boot systems, monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
||
Enterprise | T1014 | Rootkit |
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. |