Drive Modification (4dcd8ba3-2075-4f8b-941e-39884ffaac08)
The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:
- Drive Letter Reassignment: A USB drive previously assigned
E:\is reassigned toD:\on a Windows machine. - Mount Point Change: On a Linux system, a mounted storage device at
/mnt/externalis moved to/mnt/storage. - Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
- Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
- Event ID 1006: Logs permission modifications or changes to removable storage.
- Configuration: Enable "Storage Operational Logs" in the Event Viewer:
Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational
Linux System Logs
- Auditd Configuration: Add audit rules to track changes to mounted drives:
auditctl -w /mnt/ -p w -k drive_modification - Command-Line Monitoring: Use
dmesgorjournalctlto observe drive modifications.
macOS System Logs
- Unified Logs: Collect mount or drive modification events:
log show --info | grep "Volume modified" - Command-Line Monitoring: Use
diskutilto track changes:
Endpoint Detection and Response (EDR) Tools
- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.
SIEM Tools
- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.