Peripheral Device Discovery
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Procedure Examples |
|
Name | Description |
---|---|
INC Ransomware |
INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.(Citation: Cybereason INC Ransomware November 2023) |
Equation |
Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.(Citation: Kaspersky Equation QA) |
During Operation CuckooBees, the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022) |
|
APT37 |
APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019) |
jRAT |
jRAT can map UPnP ports.(Citation: Kaspersky Adwind Feb 2016) |
Crutch |
Crutch can monitor for removable drives being plugged into the compromised machine.(Citation: ESET Crutch December 2020) |
FunnyDream |
The FunnyDream FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020) |
CHIMNEYSWEEP |
CHIMNEYSWEEP can monitor for removable drives.(Citation: Mandiant ROADSWEEP August 2022) |
njRAT |
njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
Mongall |
Mongall can identify removable media attached to compromised hosts.(Citation: SentinelOne Aoqin Dragon June 2022) |
Prikormka |
A module in Prikormka collects information on available printers and disk drives.(Citation: ESET Operation Groundbait) |
WannaCry |
WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.(Citation: FireEye WannaCry 2017) |
Zebrocy |
Zebrocy enumerates information about connected storage devices.(Citation: Unit42 Cannon Nov 2018) |
RTM |
RTM can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
ObliqueRAT |
ObliqueRAT can discover pluggable/removable drives to extract files from.(Citation: Talos Oblique RAT March 2021) |
Bandook |
Bandook can detect USB devices.(Citation: EFF Manul Aug 2016) |
Ramsay |
Ramsay can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020) |
APT28 |
APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19) |
USBferry |
USBferry can check for connected USB devices.(Citation: TrendMicro Tropic Trooper May 2020) |
MoonWind |
MoonWind obtains the number of removable drives from the victim.(Citation: Palo Alto MoonWind March 2017) |
DustySky |
DustySky can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019) |
Attor |
Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.(Citation: ESET Attor Oct 2019) |
SVCReady |
SVCReady can check for the number of devices plugged into an infected host.(Citation: HP SVCReady Jun 2022) |
Ferocious |
Ferocious can run |
BlackEnergy |
BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.(Citation: Securelist BlackEnergy Nov 2014) |
Turla |
Turla has used |
OilRig |
OilRig has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 April 2021) |
Crimson |
Crimson has the ability to discover pluggable/removable drives to extract files from.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
Stuxnet |
Stuxnet enumerates removable drives for infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
FlawedAmmyy |
FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.(Citation: Proofpoint TA505 Mar 2018) |
ADVSTORESHELL |
ADVSTORESHELL can list connected devices.(Citation: ESET Sednit Part 2) |
WastedLocker |
WastedLocker can enumerate removable drives prior to the encryption process.(Citation: Sentinel Labs WastedLocker July 2020) |
Operation Wocao |
Operation Wocao has discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019) |
QuietSieve |
QuietSieve can identify and search removable drives for specific file name extensions.(Citation: Microsoft Actinium February 2022) |
QakBot |
QakBot can identify peripheral devices on targeted systems.(Citation: Trend Micro Qakbot May 2020) |
During Operation Wocao, threat actors discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019) |
|
Machete |
Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.(Citation: ESET Machete July 2019) |
ROADSWEEP |
ROADSWEEP can identify removable drives attached to the victim's machine.(Citation: Mandiant ROADSWEEP August 2022) |
TeamTNT |
TeamTNT has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group) |
Volt Typhoon |
Volt Typhoon has obtained victim's screen dimension and display device information.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
NightClub |
NightClub has the ability to monitor removable drives.(Citation: MoustachedBouncer ESET August 2023) |
Gamaredon Group |
Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020) |
BackdoorDiplomacy |
BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.(Citation: ESET BackdoorDiplomacy Jun 2021) |
Heyoka Backdoor |
Heyoka Backdoor can identify removable media attached to victim's machines.(Citation: SentinelOne Aoqin Dragon June 2022) |
Cadelspy |
Cadelspy has the ability to steal information about printers and the documents sent to printers.(Citation: Symantec Chafer Dec 2015) |
Ragnar Locker |
Ragnar Locker may attempt to connect to removable drives and mapped network drives.(Citation: Sophos Ragnar May 2020) |
T9000 |
T9000 searches through connected drives for removable storage devices.(Citation: Palo Alto T9000 Feb 2016) |
TajMahal |
TajMahal has the ability to identify connected Apple devices.(Citation: Kaspersky TajMahal April 2019) |
SharpDisco |
SharpDisco has dropped a plugin to monitor external drives to `C:\Users\Public\It3.exe`.(Citation: MoustachedBouncer ESET August 2023) |
Turian |
Turian can scan for removable media to collect data.(Citation: ESET BackdoorDiplomacy Jun 2021) |
USBStealer |
USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.(Citation: ESET Sednit USBStealer 2014) |
BADNEWS |
BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017) |
DarkWatchman |
DarkWatchman can list signed PnP drivers for smartcard readers.(Citation: Prevailion DarkWatchman 2021) |
Mitigations |
|
Mitigation | Description |
---|---|
Peripheral Device Discovery Mitigation |
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- SS64. (n.d.). system_profiler. Retrieved March 11, 2022.
- Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
- Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.