Drive

A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]

ID: DS0016
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Drive: Drive Access

Opening of a data storage device with an assigned drive letter or mount point

Drive: Drive Access

Opening of a data storage device with an assigned drive letter or mount point

Domain ID Name Detects
Enterprise T1092 Communication Through Removable Media

Monitor for unexpected file access on removable media

Enterprise T1006 Direct Volume Access

Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2]

Enterprise T1561 Disk Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.001 Disk Content Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.002 Disk Structure Wipe

Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

Drive: Drive Creation

Initial construction of a drive letter or mount point to a data storage device

Drive: Drive Creation

Initial construction of a drive letter or mount point to a data storage device

Domain ID Name Detects
Enterprise T1092 Communication Through Removable Media

Monitor for newly executed processes when removable media is mounted.

Enterprise T1052 Exfiltration Over Physical Medium

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data via a physical medium, such as a removable drive.

.001 Exfiltration over USB

Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device.

Enterprise T1200 Hardware Additions

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.

Enterprise T1091 Replication Through Removable Media

Monitor for newly constructed drive letters or mount points to removable media

ICS T0847 Replication Through Removable Media

Monitor for newly constructed drive letters or mount points to removable media.

Drive: Drive Modification

Changes made to a drive letter or mount point of a data storage device

Drive: Drive Modification

Changes made to a drive letter or mount point of a data storage device

Domain ID Name Detects
Enterprise T1561 Disk Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.001 Disk Content Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

.002 Disk Structure Wipe

Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock.

Enterprise T1542 Pre-OS Boot

Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples.

.003 Bootkit

Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples.

Enterprise T1014 Rootkit

Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

References