Means
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Printing
Privileged Access
Removable Media
Screenshots
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME005.001
- Created: 25th May 2024
- Updated: 31st July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
USB Mass Storage
A subject can mount and write to a USB mass storage device.
Prevention
ID | Name | Description |
---|---|---|
PV020 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
PV012 | End-User Security Awareness Training | Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others. |
PV009 | Prohibition of Devices On-site | Certain infringements can be prevented by prohibiting certain devices from being brought on-site. |
PV037 | Restrict Removable Disk Mounting, Group Policy | Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.
Open the following policies and set them all to Enabled:
|
Detection
ID | Name | Description |
---|---|---|
DT020 | Shellbags, USB Removable Storage | Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.
Windows 7 and later
Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive. |
DT087 | USB MountPoints2 | MountPoints2 is a Windows Registry key used to store information about previously connected removable devices, such as USB drives, CDs, and other external storage media. It is located at:
Each subkey under MountPoints2 represents a unique device, often identified by its GUID (Globally Unique Identifier) or other unique identifier. |
DT022 | USB Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys. |
DT021 | USBSTOR Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USB registry keys. |