Find drives/usb mass storage that were mounted
name: Windows.Mounted.Mass.Storage
author: "Yaniv Radunsky & Kobi Arami @ 10root cyber security"
description: |
Find drives/usb mass storage that were mounted
parameters:
- name: programKeys
default: >-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
queries:
- |
SELECT Key.Name as KeyName,
Key.Mtime AS KeyLastWriteTimestamp,
FriendlyName,
HardwareID
FROM read_reg_key(globs=split(string=programKeys, sep=',[\\s]*'),
accessor="registry")