Detections
- Home
- - Detections
- -DT023
- ID: DT023
- Created: 31st May 2024
- Updated: 31st May 2024
- Platform: Windows
- Contributor: The ITM Team
MountedDevices Registry Key
Located at HKLM\SYSTEM\MountedDevices
, this registry key provides insights into the most recently mounted devices mounted to the system, such as USB drives, hard drives, and other storage devices. It records detailed information that may include; drive letter, volume GUID, and information from the USBSTOR registry key.
These details can be cross-referenced with evidence in the USB and USBSTOR registry keys.
Sections
ID | Name | Description |
---|---|---|
PR014.001 | USB Mass Storage Device Formatting | A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system. |
IF002.001 | Exfiltration via USB Mass Storage Device | A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive. |
IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |