Register to stream ATT&CKcon 2.0 October 29-30

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

ID: T1120
Tactic: Discovery
Platform: Windows
Permissions Required: User, Administrator, SYSTEM
Version: 1.0


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Name Description
ADVSTORESHELL ADVSTORESHELL can list connected devices. [1]
APT28 APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim. [16]
APT37 APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. [19]
BADNEWS BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message. [2] [3]
BlackEnergy BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry. [4]
Equation Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware. [18]
FlawedAmmyy FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader. [14]
Gamaredon Group Gamaredon Group tools contained an application to check performance of USB flash drives. [17]
jRAT jRAT can map UPnP ports. [13]
MoonWind MoonWind obtains the number of removable drives from the victim. [11]
njRAT njRAT will attempt to detect if the victim system has a camera during the initial infection. [15]
Prikormka A module in Prikormka collects information on available printers and disk drives. [10]
RTM RTM can obtain a list of smart card readers attached to the victim. [5]
T9000 T9000 searches through connected drives for removable storage devices. [6]
USBStealer USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system. [8]
WannaCry WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device. [12]
XAgentOSX XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/. [7]
Zebrocy Zebrocy enumerates information about connected storage devices. [9]


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.