ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: ME005
  • Created: 25th May 2024
  • Updated: 14th June 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Removable Media

A subject can mount and write to removable media.

Subsections

ID Name Description
ME005.003Disc Media

A subject can mount and write to disc media including, CD-R, DVD and Blu-ray discs.

ME005.004Floppy Disks

A subject can mount and write to floppy disks and/or other magnetic media.

ME005.002SD Cards

A subject can mount and write to an SD card, either directly from the system, or through a USB connector.

ME005.001USB Mass Storage

A subject can mount and write to a USB mass storage device.

Prevention

ID Name Description
PV020Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

PV012End-User Security Awareness Training

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

PV009Prohibition of Devices On-site

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

Detection

ID Name Description
DT020Shellbags, USB Removable Storage

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

 

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

DT022USB Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

DT021USBSTOR Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USBSTOR in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type.

These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.