Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

Sections

ID	Name	Description
PR002	Device Mounting	A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.
ME005	Removable Media	A subject can mount and write to removable media.
PR014.001	USB Mass Storage Device Formatting	A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
PR002.001	USB Mass Storage Device Mounting	A subject may attempt to mount a USB Mass Storage device on a target system.
ME005.001	USB Mass Storage	A subject can mount and write to a USB mass storage device.
ME005.002	SD Cards	A subject can mount and write to an SD card, either directly from the system, or through a USB connector.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.
AF022.003	Portable Hypervisors	The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges, bypassing standard application control, endpoint detection, and logging. Portable hypervisors are often used to: Run a fully isolated virtual environment on a corporate system without administrator rights. Avoid persistent installation footprints in the Windows registry, program files, or audit logs. Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools. Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk. Destroy or remove evidence simply by ejecting the device or deleting the VM directory. Example Scenarios: The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session. A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system. The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.

MITRE ATT&CK® Mapping (1)

ATT&CK Enterprise Matrix Version 17.1