Skip to content

Hide Navigation Hide TOC

Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354)

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:

  • Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed.
  • Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\.
  • External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files.
  • System Volume Access: The system volume C:\ is accessed for modifications to critical files.
  • Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.

This data component can be collected through the following measures:

Windows Event Logs - Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file. - Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access

Linux System Logs

  • Command-Line Monitoring: Use the dmesg or journalctl command to monitor drive mount/unmount events.
  • Auditd Configuration: Add an audit rule for drive access: auditctl -w /mnt/drive -p rwxa -k drive_access
  • Review logs via /var/log/audit/audit.log.

macOS System Logs

  • Command-Line Monitoring: Use diskutil list or fs_usage to monitor drive access and mount points.
  • Unified Logs: Query unified logs using log show for drive-related activities: log show --info | grep "mount"

Endpoint Detection and Response (EDR) Tools

  • Use EDR solutions to monitor drive activities and collect detailed forensic data.

SIEM Tools

  • Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.
Cluster A Galaxy A Cluster B Galaxy B Level
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354) mitre-data-component 1
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354) mitre-data-component 1
Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354) mitre-data-component 1
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354) mitre-data-component 1
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Drive Access (73ff2dcc-24b1-4368-b9dc-706dd9e68354) mitre-data-component 1
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 2