ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT024
  • Created: 31st May 2024
  • Updated: 14th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Windows Event Log, DriverFrameworks-UserMode

This Event log is not enabled by default.

The log file can be located at %systemroot%\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx.

Once a USB drive is connected, the logs will begin to populate. Each log entry includes the device ID (as registered in the system), the time it was logged, and a description of the occurrence.

Event ID 2003 marks the initiation of a USB device connection. This event logs when a USB device is first recognized and connected to the system. Event IDs 2100 and 2102 track when a USB device is disconnected or a connection session ends. Event ID 2100 typically captures an intermediate disconnection, while Event ID 2102 logs the final disconnection of the USB device. By correlating the timestamps associated with the same Device ID, an investigator can determine the duration for which a USB device was connected to the system.

Sections

ID Name Description
PR014.001USB Mass Storage Device Formatting

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

IF002.001Exfiltration via USB Mass Storage Device

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

IF002.006Exfiltration via USB to USB Data Transfer

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.