T1120 Peripheral Device Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PeripheralWMIClasses = dynamic([
  "Win32_USBHub", "Win32_USBController", "Win32_DiskDrive",
  "Win32_PhysicalMedia", "Win32_CDROMDrive",
  "Win32_PrinterConfiguration", "Win32_Printer",
  "Win32_PnPEntity", "Win32_SoundDevice"
]);
let RegistryUSBPaths = dynamic(["USBSTOR", "Enum\\USB"]);
let ProcessDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("logicaldisk", "diskdrive", "USBHub", "USBController", "PhysicalMedia", "CDROMDrive", "printer", "Win32_USB", "PnPEntity"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PeripheralWMIClasses))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-PnpDevice", "[System.IO.DriveInfo]::GetDrives", "Get-Volume", "Get-Disk"))
    or (FileName =~ "fsutil.exe" and ProcessCommandLine has "fsinfo drives")
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any (RegistryUSBPaths))
)
| extend EnumerationType = case(
    ProcessCommandLine has_any ("USBHub", "USBSTOR", "USBController", "Win32_DiskDrive"), "USB_Device",
    ProcessCommandLine has_any ("printer", "Win32_Printer", "PrinterConfiguration"), "Printer",
    ProcessCommandLine has_any ("logicaldisk", "LogicalDisk", "fsinfo drives", "DriveInfo", "Get-Volume", "Get-Disk", "PhysicalMedia"), "Drive_Enumeration",
    ProcessCommandLine has_any ("PnpDevice", "PnPEntity", "CDROMDrive", "SoundDevice"), "PnP_Device",
    ProcessCommandLine has_any (RegistryUSBPaths), "USB_Registry_Enum",
    "General_Peripheral"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, EnumerationType;
let RegistryDiscovery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (RegistryUSBPaths)
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where InitiatingProcessFileName !in~ ("svchost.exe", "services.exe", "System", "MsMpEng.exe", "TrustedInstaller.exe", "WmiPrvSE.exe")
| extend EnumerationType = "USB_Registry_Enum"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine=InitiatingProcessParentCommandLine,
         EnumerationType;
union ProcessDiscovery, RegistryDiscovery
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration
Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule
Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts
Data Loss Prevention (DLP) agents that legitimately monitor USB connections will themselves query USBSTOR registry paths and WMI USB classes — identify DLP agent executables and exclude them
Legitimate system administration scripts using Get-PnpDevice or wmic for driver troubleshooting and device inventory audits

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\wmic.exe" AND (
    CommandLine="*logicaldisk*" OR CommandLine="*diskdrive*" OR
    CommandLine="*USBHub*" OR CommandLine="*USBController*" OR
    CommandLine="*PhysicalMedia*" OR CommandLine="*CDROMDrive*" OR
    CommandLine="*Win32_USB*" OR CommandLine="*PnPEntity*" OR
    CommandLine="*printer*"
  ))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (
    CommandLine="*Win32_DiskDrive*" OR CommandLine="*Win32_USBHub*" OR
    CommandLine="*Win32_USBController*" OR CommandLine="*Get-PnpDevice*" OR
    CommandLine="*Win32_LogicalDisk*" OR CommandLine="*Win32_Printer*" OR
    CommandLine="*Win32_CDROMDrive*" OR CommandLine="*Win32_PnPEntity*" OR
    CommandLine="*DriveInfo*" OR CommandLine="*Get-Volume*" OR CommandLine="*Get-Disk*"
  ))
  OR (Image="*\\fsutil.exe" AND CommandLine="*fsinfo drives*")
  OR (Image="*\\reg.exe" AND (CommandLine="*USBSTOR*" OR CommandLine="*Enum\\USB*"))
)
| eval USBEnum=if(match(CommandLine, "(?i)(USBHub|USBController|Win32_USBController|Win32_DiskDrive|USBSTOR|Win32_USBHub)"), 1, 0)
| eval PrinterEnum=if(match(CommandLine, "(?i)(printer|Win32_Printer|PrinterConfiguration)"), 1, 0)
| eval DriveEnum=if(match(CommandLine, "(?i)(logicaldisk|Win32_LogicalDisk|fsinfo\s+drives|DriveInfo|Get-Volume|Get-Disk|PhysicalMedia)"), 1, 0)
| eval PnPEnum=if(match(CommandLine, "(?i)(PnpDevice|PnPEntity|CDROMDrive|Win32_SoundDevice)"), 1, 0)
| eval RegistryEnum=if(match(CommandLine, "(?i)(USBSTOR|Enum.USB)"), 1, 0)
| eval EnumerationType=case(
    USBEnum=1, "USB_Device",
    PrinterEnum=1, "Printer",
    DriveEnum=1, "Drive_Enumeration",
    PnPEnum=1, "PnP_Device",
    RegistryEnum=1, "USB_Registry_Enum",
    true(), "General_Peripheral"
  )
| eval SuspicionScore=USBEnum + PrinterEnum + DriveEnum + PnPEnum + RegistryEnum
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumerationType, USBEnum, PrinterEnum, DriveEnum, PnPEnum, RegistryEnum, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration
Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule
Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts
Data Loss Prevention (DLP) agents that legitimately monitor USB connections will themselves query USBSTOR registry paths and WMI USB classes — identify DLP agent executables and exclude them
Legitimate system administration scripts using Get-PnpDevice or wmic for driver troubleshooting and device inventory audits

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start" and (
    (process.name : "wmic.exe" and process.args : ("logicaldisk", "diskdrive", "USBHub", "USBController", "PhysicalMedia", "CDROMDrive", "Win32_USB*", "PnPEntity", "printer")) or
    (process.name : ("powershell.exe", "pwsh.exe") and process.args : ("Win32_USBHub", "Win32_USBController", "Win32_DiskDrive", "Win32_PhysicalMedia", "Win32_CDROMDrive", "Win32_PrinterConfiguration", "Win32_Printer", "Win32_PnPEntity", "Win32_SoundDevice", "Get-PnpDevice", "Get-PnpDevice", "DriveInfo", "GetDrives", "Get-Volume", "Get-Disk")) or
    (process.name : "fsutil.exe" and process.args : ("fsinfo", "drives")) or
    (process.name : "reg.exe" and process.args : ("USBSTOR", "Enum\\USB"))
  )]

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

IT asset management tools (e.g., Lansweeper, SCCM hardware inventory) that regularly enumerate connected devices using WMI queries
System administrators running diagnostic scripts to inventory USB devices or printers across managed endpoints
Security tools and EDR agents performing hardware fingerprinting or baseline enumeration during system health checks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Command" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Command") MATCHES '.*(?:usbhub|usbcontroller|win32_diskdrive|usbstor|win32_usbhub).*' THEN 'USB_Device'
    WHEN LOWER("Command") MATCHES '.*(?:printer|win32_printer|printerconfiguration).*' THEN 'Printer'
    WHEN LOWER("Command") MATCHES '.*(?:logicaldisk|win32_logicaldisk|fsinfo drives|driveinfo|get-volume|get-disk|physicalmedia).*' THEN 'Drive_Enumeration'
    WHEN LOWER("Command") MATCHES '.*(?:pnpdevice|pnpentity|cdromdrive|win32_sounddevice).*' THEN 'PnP_Device'
    WHEN LOWER("Command") MATCHES '.*(?:usbstor|enum.usb).*' THEN 'USB_Registry_Enum'
    ELSE 'General_Peripheral'
  END AS enumeration_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 232)
  AND (
    ("CommandLine" IMATCHES '.*wmic\.exe.*' AND (
      "CommandLine" IMATCHES '.*(logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|Win32_USB|PnPEntity|printer).*'
    ))
    OR ("CommandLine" IMATCHES '.*(powershell\.exe|pwsh\.exe).*' AND (
      "CommandLine" IMATCHES '.*(Win32_DiskDrive|Win32_USBHub|Win32_USBController|Get-PnpDevice|Win32_LogicalDisk|Win32_Printer|Win32_CDROMDrive|Win32_PnPEntity|DriveInfo|Get-Volume|Get-Disk).*'
    ))
    OR ("CommandLine" IMATCHES '.*fsutil\.exe.*fsinfo drives.*')
    OR ("CommandLine" IMATCHES '.*reg\.exe.*(USBSTOR|Enum\\USB).*')
  )
  AND STARTSWITH(CATEGORYNAME(category), 'Process')
ORDER BY devicetime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

IBM QRadar with Windows Event Log DSM QRadar with Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Automated hardware inventory scripts run by enterprise management platforms like Microsoft SCCM or Tanium during scheduled collection windows
Help desk technicians remotely diagnosing printer or USB connectivity issues using WMI-based tools
Software installers that enumerate available drives and PnP devices during setup or compatibility checks

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=1
| where (
    (toLower(Image) matches "*\\wmic.exe" and (
      toLower(CommandLine) matches "*logicaldisk*" or
      toLower(CommandLine) matches "*diskdrive*" or
      toLower(CommandLine) matches "*usbhub*" or
      toLower(CommandLine) matches "*usbcontroller*" or
      toLower(CommandLine) matches "*physicalmedia*" or
      toLower(CommandLine) matches "*cdromdrive*" or
      toLower(CommandLine) matches "*win32_usb*" or
      toLower(CommandLine) matches "*pnpentity*" or
      toLower(CommandLine) matches "*printer*"
    ))
    or ((toLower(Image) matches "*\\powershell.exe" or toLower(Image) matches "*\\pwsh.exe") and (
      toLower(CommandLine) matches "*win32_usbhub*" or
      toLower(CommandLine) matches "*win32_usbcontroller*" or
      toLower(CommandLine) matches "*win32_diskdrive*" or
      toLower(CommandLine) matches "*get-pnpdevice*" or
      toLower(CommandLine) matches "*win32_logicaldisk*" or
      toLower(CommandLine) matches "*win32_printer*" or
      toLower(CommandLine) matches "*win32_cdromdrive*" or
      toLower(CommandLine) matches "*win32_pnpentity*" or
      toLower(CommandLine) matches "*driveinfo*" or
      toLower(CommandLine) matches "*get-volume*" or
      toLower(CommandLine) matches "*get-disk*"
    ))
    or (toLower(Image) matches "*\\fsutil.exe" and toLower(CommandLine) matches "*fsinfo drives*")
    or (toLower(Image) matches "*\\reg.exe" and (
      toLower(CommandLine) matches "*usbstor*" or
      toLower(CommandLine) matches "*enum\\usb*"
    ))
)
| if (toLower(CommandLine) matches "*(usbhub|usbcontroller|win32_diskdrive|usbstor)*", "USB_Device",
    if (toLower(CommandLine) matches "*(printer|win32_printer|printerconfiguration)*", "Printer",
    if (toLower(CommandLine) matches "*(logicaldisk|fsinfo drives|driveinfo|get-volume|get-disk|physicalmedia)*", "Drive_Enumeration",
    if (toLower(CommandLine) matches "*(pnpdevice|pnpentity|cdromdrive|sounddevice)*", "PnP_Device",
    if (toLower(CommandLine) matches "*(usbstor|enum.usb)*", "USB_Registry_Enum",
    "General_Peripheral"))))) as EnumerationType
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumerationType
| sort by _messagetime desc

medium severity high confidence

Data Sources

Sumo Logic with Windows Sysmon Sumo Logic Cloud SIEM Windows Event Log via Sumo Logic Installed Collector

Required Tables

windows/sysmon

False Positives

Enterprise device management agents (e.g., JAMF, BigFix, PDQ Inventory) that perform periodic hardware discovery using WMI
Backup software enumerating available drives and removable media to determine backup targets or exclusions
Endpoint security products performing hardware attestation or USB device allowlisting checks

Google Chronicle / SecOps

yaral

rule peripheral_device_discovery_t1120 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects peripheral device discovery activity targeting USB, printer, disk, and PnP device enumeration via WMI, PowerShell, fsutil, and registry queries."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1120"
    severity = "MEDIUM"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1120/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|Win32_USB|PnPEntity|printer)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Win32_USBHub|Win32_USBController|Win32_DiskDrive|Win32_PhysicalMedia|Win32_CDROMDrive|Win32_PrinterConfiguration|Win32_Printer|Win32_PnPEntity|Win32_SoundDevice|Get-PnpDevice|GetDrives|Get-Volume|Get-Disk)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\fsutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)fsinfo\s+drives`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(USBSTOR|Enum\\USB)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle with Windows Event Log ingestion Chronicle Unified Data Model (UDM) Chronicle with Sysmon log forwarding

Required Tables

UDM events (process launch category)

False Positives

Automated inventory systems using WMI-based discovery to maintain CMDB accuracy in enterprise environments
Remote monitoring and management (RMM) tools like ConnectWise or Kaseya querying device information during agent health checks
PowerShell DSC (Desired State Configuration) scripts auditing hardware compliance against organizational policies

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(wmic|powershell|pwsh|fsutil|reg)\.exe$/
| CommandLine = /(?i)(Win32_USBHub|Win32_USBController|Win32_DiskDrive|Win32_PhysicalMedia|Win32_CDROMDrive|Win32_PrinterConfiguration|Win32_Printer|Win32_PnPEntity|Win32_SoundDevice|Get-PnpDevice|GetDrives|Get-Volume|Get-Disk|logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|PnPEntity|fsinfo drives|USBSTOR|Enum\USB|Win32_USB)/
| case {
    CommandLine = /(?i)(USBHub|USBController|Win32_DiskDrive|USBSTOR|Win32_USBHub)/ | EnumerationType := "USB_Device" ;
    CommandLine = /(?i)(printer|Win32_Printer|PrinterConfiguration)/ | EnumerationType := "Printer" ;
    CommandLine = /(?i)(logicaldisk|Win32_LogicalDisk|fsinfo drives|DriveInfo|Get-Volume|Get-Disk|PhysicalMedia)/ | EnumerationType := "Drive_Enumeration" ;
    CommandLine = /(?i)(PnpDevice|PnPEntity|CDROMDrive|Win32_SoundDevice)/ | EnumerationType := "PnP_Device" ;
    CommandLine = /(?i)(USBSTOR|Enum.USB)/ | EnumerationType := "USB_Registry_Enum" ;
    * | EnumerationType := "General_Peripheral"
  }
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, EnumerationType])
| sort(field=@timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or other endpoint agents performing hardware inventory during initial deployment or update cycles
Windows Plug and Play service (svchost hosting PlugPlay) triggering WMI queries on device connection events in legitimate workflows
Enterprise software deployment tools (SCCM, Ivanti) running hardware discovery ahead of software compatibility checks or patch management

Peripheral Device Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections