A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]
Opening of a data storage device with an assigned drive letter or mount point
Opening of a data storage device with an assigned drive letter or mount point
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1006 | 直接卷访问 |
Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2] |
|
| Enterprise | T1561 | 磁盘擦除 |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
| .001 | Disk Content Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| .002 | Disk Structure Wipe |
Monitor for newly constructed drive letters or mount points to a data storage device for attempts to write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| Enterprise | T1092 | 通过可移动媒体通信 |
Monitor for unexpected file access on removable media |
|
Initial construction of a drive letter or mount point to a data storage device
Initial construction of a drive letter or mount point to a data storage device
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0895 | Autorun Image |
Monitor for newly constructed drive letters or mount points to removable media. |
|
| ICS | T0847 | Replication Through Removable Media |
Monitor for newly constructed drive letters or mount points to removable media. |
|
| Enterprise | T1200 | 硬件附加 |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports. |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
Monitor for newly constructed drive letters or mount points to removable media |
|
| Enterprise | T1092 | 通过可移动媒体通信 |
Monitor for newly executed processes when removable media is mounted. |
|
| Enterprise | T1052 | 通过物理介质渗出 |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data via a physical medium, such as a removable drive. |
|
| .001 | Exfiltration over USB |
Monitor for newly assigned drive letters or mount points to a data storage device that may attempt to exfiltrate data over a USB connected physical device. |
||
Changes made to a drive letter or mount point of a data storage device
Changes made to a drive letter or mount point of a data storage device
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. |
|
| Enterprise | T1561 | 磁盘擦除 |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
|
| .001 | Disk Content Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| .002 | Disk Structure Wipe |
Monitor for changes made to drive letters or mount points of data storage devices for attempts to read to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. |
||
| Enterprise | T1542 | 预操作系统引导 |
Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
|
| .003 | Bootkit |
Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
||