Drive Creation (3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f)
The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter
E:\on a Windows machine. - Network Drive Mapping: A network share
\\server\shareis mapped to the driveZ:\. - Virtual Drive Creation: A virtual disk is mounted on
/mnt/virtualdriveusing an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as
G:\on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned
/mnt/externalon a Linux system.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
- Event ID 1006: Logs removable storage device insertions.
- Configuration: Enable "Removable Storage Events" in the Group Policy settings:
Computer Configuration > Administrative Templates > System > Removable Storage Access
Linux System Logs
-
Command-Line Monitoring: Use
dmesgorjournalctlto monitor mount events. -
Auditd Configuration: Add audit rules to track mount points.
- Logs can be reviewed in /var/log/audit/audit.log.
macOS System Logs
- Unified Logs: Monitor system logs for mount activity:
- Command-Line Tools: Use
diskutil listto verify newly created or mounted drives.
Endpoint Detection and Response (EDR) Tools
- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.
SIEM Tools
- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.