Suspicious enumeration of attached peripherals via WMI, PowerShell, or low-level API calls potentially chained with removable device interactions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| CommandLineRegex | Regex patterns for device enumeration utilities (e.g., 'Get-PnpDevice', 'wmic path Win32_USBController') |
| TimeWindow | Time threshold for grouping device discovery with follow-on access or manipulation |
| UserContext | Filter privileged or service accounts known to legitimately execute enumeration scripts |
Enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces in proximity to collection or mounting behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Access (DC0055) | auditd:SYSCALL | open/read |
| Drive Access (DC0054) | linux:osquery | hardware_events |
| Field | Description |
|---|---|
| ExecutableList | Set of binaries used for peripheral enumeration (e.g., 'lshw', 'lsusb', 'udevadm') |
| UserContext | Tuning based on which users/scripts are authorized to query device state |
Execution of system utilities like 'system_profiler' and 'ioreg' to enumerate hardware components or USB devices, particularly if followed by clipboard, file, or network activity.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process exec |
| Drive Access (DC0054) | macos:osquery | usb_devices |
| Field | Description |
|---|---|
| BinaryList | Commands like 'system_profiler SPUSBDataType', 'ioreg -p IOUSB' that may indicate enumeration |
| TimeWindow | Temporal grouping of enumeration with follow-on activity (e.g., clipboard capture, exfiltration) |