T1120: Peripheral Device Discovery
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
Windows: — Monitoring of events with IDs 4103 and 4104 (PowerShell) where command line input contains 'Get-WMIObject Win32_PnPEntity'. — Monitoring of events related to execution of the WinPwn.ps1 cmdlet or its command 'printercheck'. — Monitoring of process-start events where command line input contains 'fsutil fsinfo drives'. Linux: — Monitoring of process-start events where command line input contains 'lsusb', 'dmesg', 'usb-devices', 'lsblk', 'blkid', or 'fdisk -l'.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|---|