A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter[1]
Opening of a data storage device with an assigned drive letter or mount point
Opening of a data storage device with an assigned drive letter or mount point
| Domain | ID | Name | |
|---|---|---|---|
| Enterprise | T1092 | Communication Through Removable Media | |
| Enterprise | T1006 | Direct Volume Access | |
| Enterprise | T1561 | Disk Wipe | |
| .001 | Disk Content Wipe | ||
| .002 | Disk Structure Wipe | ||
Initial construction of a drive letter or mount point to a data storage device
Initial construction of a drive letter or mount point to a data storage device
| Domain | ID | Name | |
|---|---|---|---|
| Enterprise | T1092 | Communication Through Removable Media | |
| Enterprise | T1052 | Exfiltration Over Physical Medium | |
| .001 | Exfiltration over USB | ||
| Enterprise | T1091 | Replication Through Removable Media | |
Changes made to a drive letter or mount point of a data storage device
Changes made to a drive letter or mount point of a data storage device
| Domain | ID | Name | |
|---|---|---|---|
| Enterprise | T1561 | Disk Wipe | |
| .001 | Disk Content Wipe | ||
| .002 | Disk Structure Wipe | ||
| Enterprise | T1542 | Pre-OS Boot | |
| .003 | Bootkit | ||
| Enterprise | T1014 | Rootkit | |