Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Peripheral Device Discovery
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Peripheral Device Discovery
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

ID: T1120
Tactic(s): Discovery
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Version: 1.4
Created: 31 May 2017
Last Modified: 25 Apr 2025

Procedure Examples
Name Description
QuietSieve

QuietSieve can identify and search removable drives for specific file name extensions.(Citation: Microsoft Actinium February 2022)
Stuxnet

Stuxnet enumerates removable drives for infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
SharpDisco

SharpDisco has dropped a plugin to monitor external drives to `C:\Users\Public\It3.exe`.(Citation: MoustachedBouncer ESET August 2023)
Crimson

Crimson has the ability to discover pluggable/removable drives to extract files from.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
Turian

Turian can scan for removable media to collect data.(Citation: ESET BackdoorDiplomacy Jun 2021)
Machete

Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.(Citation: ESET Machete July 2019)

Prikormka

A module in Prikormka collects information on available printers and disk drives.(Citation: ESET Operation Groundbait)
FlawedAmmyy

FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.(Citation: Proofpoint TA505 Mar 2018)
WastedLocker

WastedLocker can enumerate removable drives prior to the encryption process.(Citation: Sentinel Labs WastedLocker July 2020)
AcidPour

AcidPour includes functionality to identify MMC and SD cards connected to the victim device.(Citation: SentinelOne AcidPour 2024)
CHIMNEYSWEEP

CHIMNEYSWEEP can monitor for removable drives.(Citation: Mandiant ROADSWEEP August 2022)
Ragnar Locker

Ragnar Locker may attempt to connect to removable drives and mapped network drives.(Citation: Sophos Ragnar May 2020)
BlackEnergy

BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.(Citation: Securelist BlackEnergy Nov 2014)
ObliqueRAT

ObliqueRAT can discover pluggable/removable drives to extract files from.(Citation: Talos Oblique RAT March 2021)
DarkWatchman

DarkWatchman can list signed PnP drivers for smartcard readers.(Citation: Prevailion DarkWatchman 2021)
DustySky

DustySky can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019)
Mongall

Mongall can identify removable media attached to compromised hosts.(Citation: SentinelOne Aoqin Dragon June 2022)

LockBit 3.0

LockBit 3.0 has the ability to discover external storage devices.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
SVCReady

SVCReady can check for the number of devices plugged into an infected host.(Citation: HP SVCReady Jun 2022)
Ferocious

Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.(Citation: Kaspersky WIRTE November 2021)
USBferry

USBferry can check for connected USB devices.(Citation: TrendMicro Tropic Trooper May 2020)
WannaCry

WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.(Citation: FireEye WannaCry 2017)
Bandook

Bandook can detect USB devices.(Citation: EFF Manul Aug 2016)
T9000

T9000 searches through connected drives for removable storage devices.(Citation: Palo Alto T9000 Feb 2016)
Attor

Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.(Citation: ESET Attor Oct 2019)
NightClub

NightClub has the ability to monitor removable drives.(Citation: MoustachedBouncer ESET August 2023)
Crutch

Crutch can monitor for removable drives being plugged into the compromised machine.(Citation: ESET Crutch December 2020)
RTM

RTM can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
MoonWind

MoonWind obtains the number of removable drives from the victim.(Citation: Palo Alto MoonWind March 2017)
LockBit 2.0

LockBit 2.0 has the ability to identify mounted external storage devices.(Citation: FBI Lockbit 2.0 FEB 2022)
Zebrocy

Zebrocy enumerates information about connected storage devices.(Citation: Unit42 Cannon Nov 2018)
Cadelspy

Cadelspy has the ability to steal information about printers and the documents sent to printers.(Citation: Symantec Chafer Dec 2015)
USBStealer

USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.(Citation: ESET Sednit USBStealer 2014)
TajMahal

TajMahal has the ability to identify connected Apple devices.(Citation: Kaspersky TajMahal April 2019)
Ramsay

Ramsay can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

FunnyDream

The FunnyDream FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020)
ROADSWEEP

ROADSWEEP can identify removable drives attached to the victim's machine.(Citation: Mandiant ROADSWEEP August 2022)
njRAT

njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
Heyoka Backdoor

Heyoka Backdoor can identify removable media attached to victim's machines.(Citation: SentinelOne Aoqin Dragon June 2022)
BADNEWS

BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
QakBot

QakBot can identify peripheral devices on targeted systems.(Citation: Trend Micro Qakbot May 2020)
jRAT

jRAT can map UPnP ports.(Citation: Kaspersky Adwind Feb 2016)
INC Ransomware

INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.(Citation: Cybereason INC Ransomware November 2023)
ADVSTORESHELL

ADVSTORESHELL can list connected devices.(Citation: ESET Sednit Part 2)
APT28

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)
Turla

Turla has used fsutil fsinfo drives to list connected drives.(Citation: ESET ComRAT May 2020)
Operation Wocao

Operation Wocao has discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019)
Gamaredon Group

Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)
Equation

Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.(Citation: Kaspersky Equation QA)
OilRig

OilRig has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 April 2021)
APT37

APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019)
BackdoorDiplomacy

BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.(Citation: ESET BackdoorDiplomacy Jun 2021)
Volt Typhoon

Volt Typhoon has obtained victim's screen dimension and display device information.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
TeamTNT

TeamTNT has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group)

Mitigations
Mitigation Description
Peripheral Device Discovery Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  2. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  3. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  4. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  6. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  7. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  8. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  9. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  10. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  11. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  12. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  13. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  14. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  15. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  16. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  17. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  18. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  19. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  20. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  21. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  22. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  23. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  24. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  25. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  26. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  27. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  28. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  29. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  30. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  31. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
  32. Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.
  33. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  34. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  35. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  36. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  37. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  38. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  39. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  40. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  41. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  42. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  43. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  44. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  45. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  46. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  47. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  48. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  49. SS64. (n.d.). system_profiler. Retrieved March 11, 2022.
  50. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  51. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  52. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  53. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  54. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  55. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  56. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  57. Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.
  58. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  59. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  60. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.