ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR002.001
  • Created: 25th May 2024
  • Updated: 31st July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

USB Mass Storage Device Mounting

A subject may attempt to mount a USB Mass Storage device on a target system.

Prevention

ID Name Description
PV037Restrict Removable Disk Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

Removeable Disk: Deny execute access

Removeable Disk: Deny read access

Removeable Disk: Deny write access

Detection

ID Name Description
DT020Shellbags, USB Removable Storage

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

 

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

DT087USB MountPoints2

MountPoints2 is a Windows Registry key used to store information about previously connected removable devices, such as USB drives, CDs, and other external storage media. It is located at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

 

Each subkey under MountPoints2 represents a unique device, often identified by its GUID (Globally Unique Identifier) or other unique identifier.
These subkeys can contain various values that describe the properties and behavior of the corresponding device, such as the assigned drive letter, volume label, and other relevant data.

DT022USB Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

DT021USBSTOR Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USBSTOR in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type.

These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.