Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Increase Privileges
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR002
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
Device Mounting
A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.
Subsections
ID | Name | Description |
---|---|---|
PR002.004 | Disc Media Mounting | A subject may attempt mount disc media on a target system |
PR002.005 | Floppy Disk Mounting | A subject may attempt to mount a floppy disk on a target system. |
PR002.002 | Network Share Mounting | A subject may attempt to mount a network share (such as an SMB share or a NAS) on a target system. |
PR002.003 | SD Card Mounting | A subject may attempt to mount an SD card on a target system. |
PR002.001 | USB Mass Storage Device Mounting | A subject may attempt to mount a USB Mass Storage device on a target system. |
Detection
ID | Name | Description |
---|---|---|
DT020 | Shellbags, USB Removable Storage | Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.
Windows 7 and later
Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive. |
DT022 | USB Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys. |
DT021 | USBSTOR Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USB registry keys. |