Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.
Monitor for newly constructed files copied to or from removable media.
Monitor for newly constructed drive letters or mount points to removable media.
Monitor for files accessed on removable media, particularly those with executable content.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | Process | None |
| File Creation (DC0039) | File | None |
| Drive Creation (DC0042) | Drive | None |
| File Access (DC0055) | File | None |