ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR002
Created: 25th May 2024
Updated: 14th June 2024
Contributor: The ITM Team

Device Mounting

A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.

Subsections

ID	Name	Description
PR002.004	Disc Media Mounting	A subject may attempt mount disc media on a target system
PR002.005	Floppy Disk Mounting	A subject may attempt to mount a floppy disk on a target system.
PR002.002	Network Share Mounting	A subject may attempt to mount a network share (such as an SMB share or a NAS) on a target system.
PR002.003	SD Card Mounting	A subject may attempt to mount an SD card on a target system.
PR002.001	USB Mass Storage Device Mounting	A subject may attempt to mount a USB Mass Storage device on a target system.

Detection

ID	Name	Description
DT020	Shellbags, USB Removable Storage	Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows. Shellbags are located in the following registry keys: Windows XP `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` `NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags` Windows 7 and later `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` `UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` `UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags` Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.
DT022	USB Registry Key	Located at `HKLM\SYSTEM\ControlSet001\Enum\USB`, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date. These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.
DT021	USBSTOR Registry Key	Located at `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type. These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.