Which SIEM platforms have a T1120 detection rule?

df00tech provides T1120 (Peripheral Device Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Peripheral Device Discovery (T1120)?

Detecting Peripheral Device Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Access, Microsoft Defender for Endpoint.

What severity and confidence is the T1120 detection?

The T1120 detection is rated medium severity with medium confidence.

What are common false positives for T1120?

Common false positives for T1120 include: IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration; Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule; Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts.

T1120 Google Chronicle · YARA-L

Detect Peripheral Device Discovery in Google Chronicle

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions — ransomware families identify removable drives for encryption and printers for ransom note delivery, RATs enumerate cameras and Bluetooth devices for surveillance capability profiling, and APT groups map USB storage history to understand data exfiltration opportunities.

MITRE ATT&CK

Tactic: Discovery
Technique: T1120 Peripheral Device Discovery
Canonical reference: https://attack.mitre.org/techniques/T1120/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule peripheral_device_discovery_t1120 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects peripheral device discovery activity targeting USB, printer, disk, and PnP device enumeration via WMI, PowerShell, fsutil, and registry queries."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1120"
    severity = "MEDIUM"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1120/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(logicaldisk|diskdrive|USBHub|USBController|PhysicalMedia|CDROMDrive|Win32_USB|PnPEntity|printer)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Win32_USBHub|Win32_USBController|Win32_DiskDrive|Win32_PhysicalMedia|Win32_CDROMDrive|Win32_PrinterConfiguration|Win32_Printer|Win32_PnPEntity|Win32_SoundDevice|Get-PnpDevice|GetDrives|Get-Volume|Get-Disk)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\fsutil\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)fsinfo\s+drives`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(USBSTOR|Enum\\USB)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Chronicle YARA-L 2.0 rule detecting peripheral device discovery (T1120). Monitors process launch events for use of wmic.exe, PowerShell, fsutil, and reg.exe with command-line arguments indicative of USB device, printer, disk drive, and PnP device enumeration. Commonly used by ransomware to identify encryption targets and RATs for surveillance profiling.

Data Sources

Google Chronicle with Windows Event Log ingestionChronicle Unified Data Model (UDM)Chronicle with Sysmon log forwarding

Required Tables

UDM events (process launch category)

False Positives & Tuning

Automated inventory systems using WMI-based discovery to maintain CMDB accuracy in enterprise environments
Remote monitoring and management (RMM) tools like ConnectWise or Kaseya querying device information during agent health checks
PowerShell DSC (Desired State Configuration) scripts auditing hardware compliance against organizational policies

Download portable Sigma rule (.yml)

Other platforms for T1120

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1USB Hub and Disk Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=wmic.exe. First CommandLine contains 'Win32_USBHub' and 'DeviceID,Name,Description'. Second CommandLine contains 'Win32_DiskDrive' and 'MediaType' and 'Removable Media'. Security Event ID 4688 (if command line auditing enabled) for both executions. Microsoft-Windows-WMI-Activity/Operational shows the WMI namespace queries.
Test 2Removable Drive Discovery via PowerShell WMI and PnP
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'DriveType', 'eq 2', and 'Get-PnpDevice'. PowerShell ScriptBlock Log Event ID 4104 with full deobfuscated script content showing the WMI query with DriveType filter. Console output lists all removable drives with DeviceID and volume names.
Test 3Printer Enumeration via WMIC for Ransom Note Targeting
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'printer' and 'PortName,DriverName'. Security Event ID 4688 with full command line. Microsoft-Windows-WMI-Activity/Operational Event ID 5857 showing the Win32_Printer provider loaded. Output lists all configured printers with network vs local status.
Test 4Drive Letter Enumeration via fsutil LOLBin
Expected signal: Sysmon Event ID 1: Process Create with Image=fsutil.exe, CommandLine='fsutil fsinfo drives'. Security Event ID 4688 if command line auditing is enabled. Output format: 'Drives: C:\ D:\ E:\' — presence of multiple drives beyond C:\ indicates attached removable or additional storage.
Test 5USB Device History Extraction from Registry
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'USBSTOR'. Sysmon Event ID 12 or 13: RegistryEvent for HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR registry key queries (if registry monitoring is configured for this path). Security Event ID 4663 if object access auditing is enabled on the USBSTOR registry key. Output contains all USB device classes with vendor IDs, product IDs, and serial numbers.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1082System Information Discovery T1083File and Directory Discovery T1074.001Local Data Staging T1052.001Exfiltration over USB T1025Data from Removable Media T1091Replication Through Removable Media T1135Network Share Discovery T1033System Owner/User Discovery T1047Windows Management Instrumentation

Detect Peripheral Device Discovery in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1120

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1120

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox