Means
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Printing
Privileged Access
Removable Media
Screenshots
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME005.002
- Created: 25th May 2024
- Updated: 14th June 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
SD Cards
A subject can mount and write to an SD card, either directly from the system, or through a USB connector.
Prevention
ID | Name | Description |
---|---|---|
PV012 | End-User Security Awareness Training | Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others. |
PV009 | Prohibition of Devices On-site | Certain infringements can be prevented by prohibiting certain devices from being brought on-site. |
Detection
ID | Name | Description |
---|---|---|
DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
DT020 | Shellbags, USB Removable Storage | Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.
Windows 7 and later
Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive. |
DT022 | USB Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys. |
DT021 | USBSTOR Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USB registry keys. |