Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

ID: T1120

Tactic: Discovery

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Version: 1.0



ADVSTORESHELL can list connected devices.[1]


APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[2]


BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[3][4]


BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.[5]


Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[6]

Gamaredon Group

Gamaredon Group tools contained an application to check performance of USB flash drives.[7]


jRAT can map UPnP ports.[8]


MoonWind obtains the number of removable drives from the victim.[9]


A module in Prikormka collects information on available printers and disk drives.[10]


RTM can obtain a list of smart card readers attached to the victim.[11]


T9000 searches through connected drives for removable storage devices.[12]


USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[13]


WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[14]


XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.[15]


Zebrocy enumerates information about connected storage devices.[16]


Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting [17] tools, like AppLocker, [18] [19] or Software Restriction Policies [20] where appropriate. [21]


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.