Skip to content

DC0042 Drive Creation

Item Value
ID DC0042
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:SYSCALL mknod,open,openat
auditd:SYSCALL Removable media mount notification
auditd:SYSCALL device event logs
auditd:SYSCALL udev events or drive enumeration involving TinyPilot paths or device classes
auditd:SYSCALL Kernel Device Events - USB Block Devices
Drive None
journald:systemd udisks2 or udevd logs
linux:osquery mount_events
linux:syslog Device attach logs containing TinyPilot/PiKVM identifiers
linux:syslog New HID device enumeration with type ‘keyboard’ followed by immediate input injection
macos:unifiedlog mounted
macos:unifiedlog com.apple.diskarbitration
macos:unifiedlog Volume Mount + File Read
macos:unifiedlog Hardware enumeration events via IOKit or USBMuxd showing TinyPilot or unknown keyboard/mouse
macos:unifiedlog Volume Mount + Process Trace + File Read
macos:unifiedlog log stream –predicate ‘eventMessage contains “USBMSC”’
macos:unifiedlog New IOUSB keyboard/HID device enumerated with suspicious attributes
maos:osquery mount_events
WinEventLog:System Kernel-PnP 410/400 device install, disk added
WinEventLog:System EventCode=1006
WinEventLog:System EventCode=1006, 10001
WinEventLog:System EventCode=2003

Detection Strategy

ID Name Technique Detected
DET0090 Cross-host C2 via Removable Media Relay T1092
DET0159 Detect Remote Access via USB Hardware (TinyPilot, PiKVM) T1219.003
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0511 Detection of Data Access and Collection from Removable Media T1025
DET0123 Detection of Data Exfiltration via Removable Media T1052
DET0733 Detection of Replication Through Removable Media T0847
DET0220 Detection of USB-Based Data Exfiltration T1052.001
DET0568 Detection Strategy for Input Injection T1674
DET0301 Removable Media Execution Chain Detection via File and Process Activity T1091