ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT020
  • Created: 31st May 2024
  • Updated: 25th July 2024
  • Platform: Windows
  • Contributor: The ITM Team

Shellbags, USB Removable Storage

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

 

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

Sections

ID Name Description
PR002Device Mounting

A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.

ME005Removable Media

A subject can mount and write to removable media.

IF002Exfiltration via Physical Medium

A subject may exfiltrate data via a physical medium, such as a removable drive.

PR014.001USB Mass Storage Device Formatting

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

IF002.001Exfiltration via USB Mass Storage Device

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

PR002.001USB Mass Storage Device Mounting

A subject may attempt to mount a USB Mass Storage device on a target system.

ME005.001USB Mass Storage

A subject can mount and write to a USB mass storage device.

ME005.002SD Cards

A subject can mount and write to an SD card, either directly from the system, or through a USB connector.

IF002.006Exfiltration via USB to USB Data Transfer

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.