Detections
- ID: DT020
- Created: 31st May 2024
- Updated: 25th July 2024
- Platform: Windows
- Contributor: The ITM Team
Shellbags, USB Removable Storage
Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.
Shellbags are located in the following registry keys:
Windows XP
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\BagsNTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRUNTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags
Windows 7 and later
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\BagsUsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRUUsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.
Sections
| ID | Name | Description |
|---|---|---|
| PR002 | Device Mounting | A subject may mount an external device or network device to establish a means of exfiltrating sensitive data. |
| ME005 | Removable Media | A subject can mount and write to removable media. |
| IF002 | Exfiltration via Physical Medium | A subject may exfiltrate data via a physical medium, such as a removable drive. |
| PR014.001 | USB Mass Storage Device Formatting | A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system. |
| IF002.001 | Exfiltration via USB Mass Storage Device | A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive. |
| PR002.001 | USB Mass Storage Device Mounting | A subject may attempt to mount a USB Mass Storage device on a target system. |
| ME005.001 | USB Mass Storage | A subject can mount and write to a USB mass storage device. |
| ME005.002 | SD Cards | A subject can mount and write to an SD card, either directly from the system, or through a USB connector. |
| IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |