Which SIEM platforms have a T1120 detection rule?

df00tech provides T1120 (Peripheral Device Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1120 detection?

The T1120 detection is rated medium severity with medium confidence.

What are common false positives for T1120?

Common false positives for T1120 include: IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration; Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule; Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts.

T1120

Peripheral Device Discovery

Q: What data sources are required to detect Peripheral Device Discovery (T1120)?

Detecting Peripheral Device Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Access, Microsoft Defender for Endpoint.

Discovery Last updated: April 18, 2026

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions — ransomware families identify removable drives for encryption and printers for ransom note delivery, RATs enumerate cameras and Bluetooth devices for surveillance capability profiling, and APT groups map USB storage history to understand data exfiltration opportunities.

What is T1120 Peripheral Device Discovery?

Peripheral Device Discovery (T1120) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Peripheral Device Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Access, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1120 Peripheral Device Discovery
Canonical reference: https://attack.mitre.org/techniques/T1120/

Microsoft Sentinel / Defender

kusto

let PeripheralWMIClasses = dynamic([
  "Win32_USBHub", "Win32_USBController", "Win32_DiskDrive",
  "Win32_PhysicalMedia", "Win32_CDROMDrive",
  "Win32_PrinterConfiguration", "Win32_Printer",
  "Win32_PnPEntity", "Win32_SoundDevice"
]);
let RegistryUSBPaths = dynamic(["USBSTOR", "Enum\\USB"]);
let ProcessDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("logicaldisk", "diskdrive", "USBHub", "USBController", "PhysicalMedia", "CDROMDrive", "printer", "Win32_USB", "PnPEntity"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PeripheralWMIClasses))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-PnpDevice", "[System.IO.DriveInfo]::GetDrives", "Get-Volume", "Get-Disk"))
    or (FileName =~ "fsutil.exe" and ProcessCommandLine has "fsinfo drives")
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any (RegistryUSBPaths))
)
| extend EnumerationType = case(
    ProcessCommandLine has_any ("USBHub", "USBSTOR", "USBController", "Win32_DiskDrive"), "USB_Device",
    ProcessCommandLine has_any ("printer", "Win32_Printer", "PrinterConfiguration"), "Printer",
    ProcessCommandLine has_any ("logicaldisk", "LogicalDisk", "fsinfo drives", "DriveInfo", "Get-Volume", "Get-Disk", "PhysicalMedia"), "Drive_Enumeration",
    ProcessCommandLine has_any ("PnpDevice", "PnPEntity", "CDROMDrive", "SoundDevice"), "PnP_Device",
    ProcessCommandLine has_any (RegistryUSBPaths), "USB_Registry_Enum",
    "General_Peripheral"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, EnumerationType;
let RegistryDiscovery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (RegistryUSBPaths)
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where InitiatingProcessFileName !in~ ("svchost.exe", "services.exe", "System", "MsMpEng.exe", "TrustedInstaller.exe", "WmiPrvSE.exe")
| extend EnumerationType = "USB_Registry_Enum"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName=InitiatingProcessParentFileName,
         InitiatingProcessCommandLine=InitiatingProcessParentCommandLine,
         EnumerationType;
union ProcessDiscovery, RegistryDiscovery
| sort by Timestamp desc

Detects peripheral device discovery across two event sources. DeviceProcessEvents catches process-level peripheral enumeration: WMIC queries against USB, disk drive, printer, and PnP WMI classes; PowerShell cmdlets Get-PnpDevice, Get-Volume, Get-Disk, and WMI queries; fsutil drive listing; and reg.exe reading USB registry paths. DeviceRegistryEvents catches stealthier registry-based USB device history reads from USBSTOR and USB enumeration paths by non-system processes. Results are classified by enumeration type to help analysts prioritize alerts — USB_Device and USB_Registry_Enum are highest priority, particularly when followed by file write activity.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration
Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule
Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts
Data Loss Prevention (DLP) agents that legitimately monitor USB connections will themselves query USBSTOR registry paths and WMI USB classes — identify DLP agent executables and exclude them
Legitimate system administration scripts using Get-PnpDevice or wmic for driver troubleshooting and device inventory audits

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\wmic.exe" AND (
    CommandLine="*logicaldisk*" OR CommandLine="*diskdrive*" OR
    CommandLine="*USBHub*" OR CommandLine="*USBController*" OR
    CommandLine="*PhysicalMedia*" OR CommandLine="*CDROMDrive*" OR
    CommandLine="*Win32_USB*" OR CommandLine="*PnPEntity*" OR
    CommandLine="*printer*"
  ))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (
    CommandLine="*Win32_DiskDrive*" OR CommandLine="*Win32_USBHub*" OR
    CommandLine="*Win32_USBController*" OR CommandLine="*Get-PnpDevice*" OR
    CommandLine="*Win32_LogicalDisk*" OR CommandLine="*Win32_Printer*" OR
    CommandLine="*Win32_CDROMDrive*" OR CommandLine="*Win32_PnPEntity*" OR
    CommandLine="*DriveInfo*" OR CommandLine="*Get-Volume*" OR CommandLine="*Get-Disk*"
  ))
  OR (Image="*\\fsutil.exe" AND CommandLine="*fsinfo drives*")
  OR (Image="*\\reg.exe" AND (CommandLine="*USBSTOR*" OR CommandLine="*Enum\\USB*"))
)
| eval USBEnum=if(match(CommandLine, "(?i)(USBHub|USBController|Win32_USBController|Win32_DiskDrive|USBSTOR|Win32_USBHub)"), 1, 0)
| eval PrinterEnum=if(match(CommandLine, "(?i)(printer|Win32_Printer|PrinterConfiguration)"), 1, 0)
| eval DriveEnum=if(match(CommandLine, "(?i)(logicaldisk|Win32_LogicalDisk|fsinfo\s+drives|DriveInfo|Get-Volume|Get-Disk|PhysicalMedia)"), 1, 0)
| eval PnPEnum=if(match(CommandLine, "(?i)(PnpDevice|PnPEntity|CDROMDrive|Win32_SoundDevice)"), 1, 0)
| eval RegistryEnum=if(match(CommandLine, "(?i)(USBSTOR|Enum.USB)"), 1, 0)
| eval EnumerationType=case(
    USBEnum=1, "USB_Device",
    PrinterEnum=1, "Printer",
    DriveEnum=1, "Drive_Enumeration",
    PnPEnum=1, "PnP_Device",
    RegistryEnum=1, "USB_Registry_Enum",
    true(), "General_Peripheral"
  )
| eval SuspicionScore=USBEnum + PrinterEnum + DriveEnum + PnPEnum + RegistryEnum
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumerationType, USBEnum, PrinterEnum, DriveEnum, PnPEnum, RegistryEnum, SuspicionScore
| sort - _time

Detects peripheral device discovery using Sysmon Event ID 1 (Process Creation). Identifies WMIC queries for USB hubs, controllers, disk drives, printers, and PnP entities; PowerShell WMI queries using Win32_DiskDrive, Win32_USBHub, Win32_LogicalDisk, Get-PnpDevice, Get-Volume, and Get-Disk; fsutil drive listing; and reg.exe queries to USBSTOR or USB enumeration registry paths. Classifies each detection by enumeration type and assigns a cumulative suspicion score. USB_Device and USB_Registry_Enum types with high suspicion scores warrant immediate investigation, especially when the parent process is an unexpected shell or script interpreter.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration
Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule
Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts
Data Loss Prevention (DLP) agents that legitimately monitor USB connections will themselves query USBSTOR registry paths and WMI USB classes — identify DLP agent executables and exclude them
Legitimate system administration scripts using Get-PnpDevice or wmic for driver troubleshooting and device inventory audits

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Command" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("Command") MATCHES '.*(?:usbhub|usbcontroller|win32_diskdrive|usbstor|win32_usbhub).*' THEN 'USB_Device'
    WHEN LOWER("Command") MATCHES '.*(?:printer|win32_printer|printerconfiguration).*' THEN 'Printer'
    WHEN LOWER("Command") MATCHES '.*(?:logicaldisk|win32_logicaldisk|fsinfo drives|driveinfo|get-volume|get-disk|physicalmedia).*' THEN 'Drive_Enumeration'
    WHEN LOWER("Command") MATCHES '.*(?:pnpdevice|pnpentity|cdromdrive|win32_sounddevice).*' THEN 'PnP_Device'
    WHEN LOWER("Command") MATCHES '.*(?:usbstor|enum.usb).*' THEN 'USB_Registry_Enum'
    ELSE 'General_Peripheral'
  END AS enumeration_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 232)
  AND (
    ("CommandLine" IMATCHES '.*wmic\.exe.*' AND (
      "CommandLine" IMATCHES '.*(logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|Win32_USB|PnPEntity|printer).*'
    ))
    OR ("CommandLine" IMATCHES '.*(powershell\.exe|pwsh\.exe).*' AND (
      "CommandLine" IMATCHES '.*(Win32_DiskDrive|Win32_USBHub|Win32_USBController|Get-PnpDevice|Win32_LogicalDisk|Win32_Printer|Win32_CDROMDrive|Win32_PnPEntity|DriveInfo|Get-Volume|Get-Disk).*'
    ))
    OR ("CommandLine" IMATCHES '.*fsutil\.exe.*fsinfo drives.*')
    OR ("CommandLine" IMATCHES '.*reg\.exe.*(USBSTOR|Enum\\USB).*')
  )
  AND STARTSWITH(CATEGORYNAME(category), 'Process')
ORDER BY devicetime DESC
LAST 24 HOURS

Detects peripheral device discovery commands executed on Windows hosts. Monitors for wmic, PowerShell WMI class queries, fsutil drive enumeration, and reg.exe USB registry reads that indicate an adversary profiling connected hardware for surveillance or exfiltration preparation.

medium severity medium confidence

Data Sources

IBM QRadar with Windows Event Log DSM QRadar with Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Automated hardware inventory scripts run by enterprise management platforms like Microsoft SCCM or Tanium during scheduled collection windows
Help desk technicians remotely diagnosing printer or USB connectivity issues using WMI-based tools
Software installers that enumerate available drives and PnP devices during setup or compatibility checks

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=1
| where (
    (toLower(Image) matches "*\\wmic.exe" and (
      toLower(CommandLine) matches "*logicaldisk*" or
      toLower(CommandLine) matches "*diskdrive*" or
      toLower(CommandLine) matches "*usbhub*" or
      toLower(CommandLine) matches "*usbcontroller*" or
      toLower(CommandLine) matches "*physicalmedia*" or
      toLower(CommandLine) matches "*cdromdrive*" or
      toLower(CommandLine) matches "*win32_usb*" or
      toLower(CommandLine) matches "*pnpentity*" or
      toLower(CommandLine) matches "*printer*"
    ))
    or ((toLower(Image) matches "*\\powershell.exe" or toLower(Image) matches "*\\pwsh.exe") and (
      toLower(CommandLine) matches "*win32_usbhub*" or
      toLower(CommandLine) matches "*win32_usbcontroller*" or
      toLower(CommandLine) matches "*win32_diskdrive*" or
      toLower(CommandLine) matches "*get-pnpdevice*" or
      toLower(CommandLine) matches "*win32_logicaldisk*" or
      toLower(CommandLine) matches "*win32_printer*" or
      toLower(CommandLine) matches "*win32_cdromdrive*" or
      toLower(CommandLine) matches "*win32_pnpentity*" or
      toLower(CommandLine) matches "*driveinfo*" or
      toLower(CommandLine) matches "*get-volume*" or
      toLower(CommandLine) matches "*get-disk*"
    ))
    or (toLower(Image) matches "*\\fsutil.exe" and toLower(CommandLine) matches "*fsinfo drives*")
    or (toLower(Image) matches "*\\reg.exe" and (
      toLower(CommandLine) matches "*usbstor*" or
      toLower(CommandLine) matches "*enum\\usb*"
    ))
)
| if (toLower(CommandLine) matches "*(usbhub|usbcontroller|win32_diskdrive|usbstor)*", "USB_Device",
    if (toLower(CommandLine) matches "*(printer|win32_printer|printerconfiguration)*", "Printer",
    if (toLower(CommandLine) matches "*(logicaldisk|fsinfo drives|driveinfo|get-volume|get-disk|physicalmedia)*", "Drive_Enumeration",
    if (toLower(CommandLine) matches "*(pnpdevice|pnpentity|cdromdrive|sounddevice)*", "PnP_Device",
    if (toLower(CommandLine) matches "*(usbstor|enum.usb)*", "USB_Registry_Enum",
    "General_Peripheral"))))) as EnumerationType
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumerationType
| sort by _messagetime desc

Detects peripheral device enumeration activity on Windows endpoints via Sysmon process creation events. Identifies tools and command patterns used to query USB devices, printers, disk drives, and PnP devices — a common precursor to data exfiltration, ransomware staging, or hardware-based surveillance.

medium severity high confidence

Data Sources

Sumo Logic with Windows Sysmon Sumo Logic Cloud SIEM Windows Event Log via Sumo Logic Installed Collector

Required Tables

windows/sysmon

False Positives

Enterprise device management agents (e.g., JAMF, BigFix, PDQ Inventory) that perform periodic hardware discovery using WMI
Backup software enumerating available drives and removable media to determine backup targets or exclusions
Endpoint security products performing hardware attestation or USB device allowlisting checks

Google Chronicle / SecOps

yaral

rule peripheral_device_discovery_t1120 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects peripheral device discovery activity targeting USB, printer, disk, and PnP device enumeration via WMI, PowerShell, fsutil, and registry queries."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1120"
    severity = "MEDIUM"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1120/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|Win32_USB|PnPEntity|printer)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Win32_USBHub|Win32_USBController|Win32_DiskDrive|Win32_PhysicalMedia|Win32_CDROMDrive|Win32_PrinterConfiguration|Win32_Printer|Win32_PnPEntity|Win32_SoundDevice|Get-PnpDevice|GetDrives|Get-Volume|Get-Disk)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\fsutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)fsinfo\s+drives`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(USBSTOR|Enum\\USB)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting peripheral device discovery (T1120). Monitors process launch events for use of wmic.exe, PowerShell, fsutil, and reg.exe with command-line arguments indicative of USB device, printer, disk drive, and PnP device enumeration. Commonly used by ransomware to identify encryption targets and RATs for surveillance profiling.

medium severity high confidence

Data Sources

Google Chronicle with Windows Event Log ingestion Chronicle Unified Data Model (UDM) Chronicle with Sysmon log forwarding

Required Tables

UDM events (process launch category)

False Positives

Automated inventory systems using WMI-based discovery to maintain CMDB accuracy in enterprise environments
Remote monitoring and management (RMM) tools like ConnectWise or Kaseya querying device information during agent health checks
PowerShell DSC (Desired State Configuration) scripts auditing hardware compliance against organizational policies

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(wmic|powershell|pwsh|fsutil|reg)\.exe$/
| CommandLine = /(?i)(Win32_USBHub|Win32_USBController|Win32_DiskDrive|Win32_PhysicalMedia|Win32_CDROMDrive|Win32_PrinterConfiguration|Win32_Printer|Win32_PnPEntity|Win32_SoundDevice|Get-PnpDevice|GetDrives|Get-Volume|Get-Disk|logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|PnPEntity|fsinfo drives|USBSTOR|Enum\USB|Win32_USB)/
| case {
    CommandLine = /(?i)(USBHub|USBController|Win32_DiskDrive|USBSTOR|Win32_USBHub)/ | EnumerationType := "USB_Device" ;
    CommandLine = /(?i)(printer|Win32_Printer|PrinterConfiguration)/ | EnumerationType := "Printer" ;
    CommandLine = /(?i)(logicaldisk|Win32_LogicalDisk|fsinfo drives|DriveInfo|Get-Volume|Get-Disk|PhysicalMedia)/ | EnumerationType := "Drive_Enumeration" ;
    CommandLine = /(?i)(PnpDevice|PnPEntity|CDROMDrive|Win32_SoundDevice)/ | EnumerationType := "PnP_Device" ;
    CommandLine = /(?i)(USBSTOR|Enum.USB)/ | EnumerationType := "USB_Registry_Enum" ;
    * | EnumerationType := "General_Peripheral"
  }
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, EnumerationType])
| sort(field=@timestamp, order=desc)

Detects peripheral device discovery on Windows endpoints via CrowdStrike Falcon telemetry. Monitors ProcessRollup2 events for wmic.exe, PowerShell, fsutil, and reg.exe executions with command-line patterns indicating enumeration of USB devices, printers, disk drives, PnP devices, and USB registry history — techniques used by ransomware, RATs, and APT groups to profile connected hardware.

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or other endpoint agents performing hardware inventory during initial deployment or update cycles
Windows Plug and Play service (svchost hosting PlugPlay) triggering WMI queries on device connection events in legitimate workflows
Enterprise software deployment tools (SCCM, Ivanti) running hardware discovery ahead of software compatibility checks or patch management

Sigma rule & cross-platform mapping

The detection logic for Peripheral Device Discovery (T1120) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1120 Sigma rules on detection.fyi

Platform-specific guides for T1120

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1USB Hub and Disk Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=wmic.exe. First CommandLine contains 'Win32_USBHub' and 'DeviceID,Name,Description'. Second CommandLine contains 'Win32_DiskDrive' and 'MediaType' and 'Removable Media'. Security Event ID 4688 (if command line auditing enabled) for both executions. Microsoft-Windows-WMI-Activity/Operational shows the WMI namespace queries.
Test 2Removable Drive Discovery via PowerShell WMI and PnP
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'DriveType', 'eq 2', and 'Get-PnpDevice'. PowerShell ScriptBlock Log Event ID 4104 with full deobfuscated script content showing the WMI query with DriveType filter. Console output lists all removable drives with DeviceID and volume names.
Test 3Printer Enumeration via WMIC for Ransom Note Targeting
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'printer' and 'PortName,DriverName'. Security Event ID 4688 with full command line. Microsoft-Windows-WMI-Activity/Operational Event ID 5857 showing the Win32_Printer provider loaded. Output lists all configured printers with network vs local status.
Test 4Drive Letter Enumeration via fsutil LOLBin
Expected signal: Sysmon Event ID 1: Process Create with Image=fsutil.exe, CommandLine='fsutil fsinfo drives'. Security Event ID 4688 if command line auditing is enabled. Output format: 'Drives: C:\ D:\ E:\' — presence of multiple drives beyond C:\ indicates attached removable or additional storage.
Test 5USB Device History Extraction from Registry
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'USBSTOR'. Sysmon Event ID 12 or 13: RegistryEvent for HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR registry key queries (if registry monitoring is configured for this path). Security Event ID 4663 if object access auditing is enabled on the USBSTOR registry key. Output contains all USB device classes with vendor IDs, product IDs, and serial numbers.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Peripheral Device Discovery

What is T1120 Peripheral Device Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1120

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1120 Peripheral Device Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1120

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox