Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Peripheral Device Discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

ID: T1120
Tactic(s): Discovery
Platforms: Linux, macOS, Windows
Permissions Required: Administrator, SYSTEM, User
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Version: 1.3
Created: 31 May 2017
Last Modified: 30 Mar 2023

Procedure Examples

Name Description
INC Ransomware

INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.(Citation: Cybereason INC Ransomware November 2023)

Equation

Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.(Citation: Kaspersky Equation QA)

During Operation CuckooBees, the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)

APT37

APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019)

jRAT

jRAT can map UPnP ports.(Citation: Kaspersky Adwind Feb 2016)

Crutch

Crutch can monitor for removable drives being plugged into the compromised machine.(Citation: ESET Crutch December 2020)

FunnyDream

The FunnyDream FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDream Campaign November 2020)

CHIMNEYSWEEP

CHIMNEYSWEEP can monitor for removable drives.(Citation: Mandiant ROADSWEEP August 2022)

njRAT

njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

Mongall

Mongall can identify removable media attached to compromised hosts.(Citation: SentinelOne Aoqin Dragon June 2022)

Prikormka

A module in Prikormka collects information on available printers and disk drives.(Citation: ESET Operation Groundbait)

WannaCry

WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.(Citation: FireEye WannaCry 2017)

Zebrocy

Zebrocy enumerates information about connected storage devices.(Citation: Unit42 Cannon Nov 2018)

RTM

RTM can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

ObliqueRAT

ObliqueRAT can discover pluggable/removable drives to extract files from.(Citation: Talos Oblique RAT March 2021)

Bandook

Bandook can detect USB devices.(Citation: EFF Manul Aug 2016)

Ramsay

Ramsay can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

APT28

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)

USBferry

USBferry can check for connected USB devices.(Citation: TrendMicro Tropic Trooper May 2020)

MoonWind

MoonWind obtains the number of removable drives from the victim.(Citation: Palo Alto MoonWind March 2017)

DustySky

DustySky can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019)

Attor

Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.(Citation: ESET Attor Oct 2019)

SVCReady

SVCReady can check for the number of devices plugged into an infected host.(Citation: HP SVCReady Jun 2022)

Ferocious

Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.(Citation: Kaspersky WIRTE November 2021)

BlackEnergy

BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.(Citation: Securelist BlackEnergy Nov 2014)

Turla

Turla has used fsutil fsinfo drives to list connected drives.(Citation: ESET ComRAT May 2020)

OilRig

OilRig has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 April 2021)

Crimson

Crimson has the ability to discover pluggable/removable drives to extract files from.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Stuxnet

Stuxnet enumerates removable drives for infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

FlawedAmmyy

FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.(Citation: Proofpoint TA505 Mar 2018)

ADVSTORESHELL

ADVSTORESHELL can list connected devices.(Citation: ESET Sednit Part 2)

WastedLocker

WastedLocker can enumerate removable drives prior to the encryption process.(Citation: Sentinel Labs WastedLocker July 2020)

Operation Wocao

Operation Wocao has discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019)

QuietSieve

QuietSieve can identify and search removable drives for specific file name extensions.(Citation: Microsoft Actinium February 2022)

QakBot

QakBot can identify peripheral devices on targeted systems.(Citation: Trend Micro Qakbot May 2020)

During Operation Wocao, threat actors discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019)

Machete

Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.(Citation: ESET Machete July 2019)

ROADSWEEP

ROADSWEEP can identify removable drives attached to the victim's machine.(Citation: Mandiant ROADSWEEP August 2022)

TeamTNT

TeamTNT has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group)

Volt Typhoon

Volt Typhoon has obtained victim's screen dimension and display device information.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

NightClub

NightClub has the ability to monitor removable drives.(Citation: MoustachedBouncer ESET August 2023)

Gamaredon Group

Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)

BackdoorDiplomacy

BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.(Citation: ESET BackdoorDiplomacy Jun 2021)

Heyoka Backdoor

Heyoka Backdoor can identify removable media attached to victim's machines.(Citation: SentinelOne Aoqin Dragon June 2022)

Cadelspy

Cadelspy has the ability to steal information about printers and the documents sent to printers.(Citation: Symantec Chafer Dec 2015)

Ragnar Locker

Ragnar Locker may attempt to connect to removable drives and mapped network drives.(Citation: Sophos Ragnar May 2020)

T9000

T9000 searches through connected drives for removable storage devices.(Citation: Palo Alto T9000 Feb 2016)

TajMahal

TajMahal has the ability to identify connected Apple devices.(Citation: Kaspersky TajMahal April 2019)

SharpDisco

SharpDisco has dropped a plugin to monitor external drives to `C:\Users\Public\It3.exe`.(Citation: MoustachedBouncer ESET August 2023)

Turian

Turian can scan for removable media to collect data.(Citation: ESET BackdoorDiplomacy Jun 2021)

USBStealer

USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.(Citation: ESET Sednit USBStealer 2014)

BADNEWS

BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)

DarkWatchman

DarkWatchman can list signed PnP drivers for smartcard readers.(Citation: Prevailion DarkWatchman 2021)

Mitigations

Mitigation Description
Peripheral Device Discovery Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. SS64. (n.d.). system_profiler. Retrieved March 11, 2022.
  3. Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.
  4. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  5. Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.
  6. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  7. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  8. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  9. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  10. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  11. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  12. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  13. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  14. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  15. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  16. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  17. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  18. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  19. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  20. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  21. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  22. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  23. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  24. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  25. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  26. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  27. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  28. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  29. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  30. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  31. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  32. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  33. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  34. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  35. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  36. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  37. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  38. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  39. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  40. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  41. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  42. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  43. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  44. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  45. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  46. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  47. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  48. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  49. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  50. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  51. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  52. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  53. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  54. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  55. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  56. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  57. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.