Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

ID: T1120

Tactic: Discovery

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL can list connected devices.[1]

APT28

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[2]

BADNEWS

BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[3][4]

BlackEnergy

BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.[5]

Equation

Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[6]

Gamaredon Group

Gamaredon Group tools contained an application to check performance of USB flash drives.[7]

MoonWind

MoonWind obtains the number of removable drives from the victim.[8]

Prikormka

A module in Prikormka collects information on available printers and disk drives.[9]

RTM

RTM can obtain a list of smart card readers attached to the victim.[10]

T9000

T9000 searches through connected drives for removable storage devices.[11]

USBStealer

USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[12]

XAgentOSX

XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[13]

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting [14] tools, like AppLocker, [15] [16] or Software Restriction Policies [17] where appropriate. [18]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References