DS0016 Drive
A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter1
| Item | Value |
|---|---|
| ID | DS0016 |
| Platforms | Linux, Windows, macOS |
| Collection Layers | Host |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Drive Access
Opening of a data storage device with an assigned drive letter or mount point
| Domain | ID | Name |
|---|---|---|
| enterprise | T1092 | Communication Through Removable Media |
| enterprise | T1006 | Direct Volume Access |
| enterprise | T1561 | Disk Wipe |
| enterprise | T1561.001 | Disk Content Wipe |
| enterprise | T1561.002 | Disk Structure Wipe |
Drive Creation
Initial construction of a drive letter or mount point to a data storage device
| Domain | ID | Name |
|---|---|---|
| enterprise | T1092 | Communication Through Removable Media |
| enterprise | T1052 | Exfiltration Over Physical Medium |
| enterprise | T1052.001 | Exfiltration over USB |
| enterprise | T1200 | Hardware Additions |
| enterprise | T1091 | Replication Through Removable Media |
| ics | T0847 | Replication Through Removable Media |
Drive Modification
Changes made to a drive letter or mount point of a data storage device
| Domain | ID | Name |
|---|---|---|
| enterprise | T1561 | Disk Wipe |
| enterprise | T1561.001 | Disk Content Wipe |
| enterprise | T1561.002 | Disk Structure Wipe |
| enterprise | T1542 | Pre-OS Boot |
| enterprise | T1542.003 | Bootkit |
| enterprise | T1014 | Rootkit |