Drive enumeration using PowerShell (Get-PSDrive), wmic logicaldisk, or Win32 API indicative of local volume enumeration by non-admin users or executed outside of baseline system inventory scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| user_context | Non-system accounts performing drive enumeration may be higher fidelity indicators |
| parent_process_name | Baseline parent-child process lineage can help distinguish admin tools from malicious scripts |
Abnormal use of lsblk, fdisk -l, lshw -class disk, or parted by non-admin users or within non-interactive shells suggests suspicious disk enumeration activity.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk) |
| Command Execution (DC0064) | auditd:EXECVE | command line arguments containing lsblk, fdisk, parted |
| Field | Description |
|---|---|
| TTY_type | Detection can exclude interactive TTY sessions to reduce false positives from admin usage |
| shell_parent | Differentiate between interactive user shells vs. script-based execution |
Disk enumeration via diskutil list or system_profiler SPStorageDataType run outside of user login or not associated with system inventory tools
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process launch of diskutil or system_profiler with SPStorageDataType |
| Command Execution (DC0064) | macos:unifiedlog | log messages related to disk enumeration context or Terminal session |
| Field | Description |
|---|---|
| launch_agent_context | Unexpected use of disk enumeration tools from GUI apps or LaunchAgents may indicate abuse |
| volume_name_filter | Filter known baseline volume names or identifiers used by common device configurations |
Use of esxcli storage or vim-cmd vmsvc/getallvms by unusual sessions or through interactive shells unrelated to administrative maintenance tasks.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:hostd | execution of esxcli with args matching 'storage', 'filesystem', 'core device list' |
| User Account Authentication (DC0002) | esxi:auth | interactive shell or SSH access preceding storage enumeration |
| Field | Description |
|---|---|
| ssh_source_ip | Restrict alerts to unexpected remote sessions accessing host storage commands |
| esxcli_command_scope | Tailor detection based on subcommands more likely to be abused |