Detect Peripheral Device Discovery in Microsoft Sentinel
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions — ransomware families identify removable drives for encryption and printers for ransom note delivery, RATs enumerate cameras and Bluetooth devices for surveillance capability profiling, and APT groups map USB storage history to understand data exfiltration opportunities.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1120 Peripheral Device Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1120/
KQL Detection Query
let PeripheralWMIClasses = dynamic([
"Win32_USBHub", "Win32_USBController", "Win32_DiskDrive",
"Win32_PhysicalMedia", "Win32_CDROMDrive",
"Win32_PrinterConfiguration", "Win32_Printer",
"Win32_PnPEntity", "Win32_SoundDevice"
]);
let RegistryUSBPaths = dynamic(["USBSTOR", "Enum\\USB"]);
let ProcessDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
(FileName =~ "wmic.exe" and ProcessCommandLine has_any ("logicaldisk", "diskdrive", "USBHub", "USBController", "PhysicalMedia", "CDROMDrive", "printer", "Win32_USB", "PnPEntity"))
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PeripheralWMIClasses))
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-PnpDevice", "[System.IO.DriveInfo]::GetDrives", "Get-Volume", "Get-Disk"))
or (FileName =~ "fsutil.exe" and ProcessCommandLine has "fsinfo drives")
or (FileName =~ "reg.exe" and ProcessCommandLine has_any (RegistryUSBPaths))
)
| extend EnumerationType = case(
ProcessCommandLine has_any ("USBHub", "USBSTOR", "USBController", "Win32_DiskDrive"), "USB_Device",
ProcessCommandLine has_any ("printer", "Win32_Printer", "PrinterConfiguration"), "Printer",
ProcessCommandLine has_any ("logicaldisk", "LogicalDisk", "fsinfo drives", "DriveInfo", "Get-Volume", "Get-Disk", "PhysicalMedia"), "Drive_Enumeration",
ProcessCommandLine has_any ("PnpDevice", "PnPEntity", "CDROMDrive", "SoundDevice"), "PnP_Device",
ProcessCommandLine has_any (RegistryUSBPaths), "USB_Registry_Enum",
"General_Peripheral"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, EnumerationType;
let RegistryDiscovery = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (RegistryUSBPaths)
| where ActionType in ("RegistryKeyQueried", "RegistryValueQueried")
| where InitiatingProcessFileName !in~ ("svchost.exe", "services.exe", "System", "MsMpEng.exe", "TrustedInstaller.exe", "WmiPrvSE.exe")
| extend EnumerationType = "USB_Registry_Enum"
| project Timestamp, DeviceName,
AccountName=InitiatingProcessAccountName,
FileName=InitiatingProcessFileName,
ProcessCommandLine=InitiatingProcessCommandLine,
InitiatingProcessFileName=InitiatingProcessParentFileName,
InitiatingProcessCommandLine=InitiatingProcessParentCommandLine,
EnumerationType;
union ProcessDiscovery, RegistryDiscovery
| sort by Timestamp descDetects peripheral device discovery across two event sources. DeviceProcessEvents catches process-level peripheral enumeration: WMIC queries against USB, disk drive, printer, and PnP WMI classes; PowerShell cmdlets Get-PnpDevice, Get-Volume, Get-Disk, and WMI queries; fsutil drive listing; and reg.exe reading USB registry paths. DeviceRegistryEvents catches stealthier registry-based USB device history reads from USBSTOR and USB enumeration paths by non-system processes. Results are classified by enumeration type to help analysts prioritize alerts — USB_Device and USB_Registry_Enum are highest priority, particularly when followed by file write activity.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management and hardware inventory tools (SCCM hardware inventory running under CcmExec.exe, Tanium, Lansweeper, Spiceworks) that periodically query WMI for device configuration
- Disk health and monitoring software (CrystalDiskInfo, SMART monitoring agents, backup software like Veeam or Acronis) that enumerate drives at startup or on schedule
- Help desk and remote support tools (TeamViewer, ConnectWise, Dameware) that collect hardware information automatically when a session starts
- Data Loss Prevention (DLP) agents that legitimately monitor USB connections will themselves query USBSTOR registry paths and WMI USB classes — identify DLP agent executables and exclude them
- Legitimate system administration scripts using Get-PnpDevice or wmic for driver troubleshooting and device inventory audits
Other platforms for T1120
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1USB Hub and Disk Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=wmic.exe. First CommandLine contains 'Win32_USBHub' and 'DeviceID,Name,Description'. Second CommandLine contains 'Win32_DiskDrive' and 'MediaType' and 'Removable Media'. Security Event ID 4688 (if command line auditing enabled) for both executions. Microsoft-Windows-WMI-Activity/Operational shows the WMI namespace queries.
- Test 2Removable Drive Discovery via PowerShell WMI and PnP
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'DriveType', 'eq 2', and 'Get-PnpDevice'. PowerShell ScriptBlock Log Event ID 4104 with full deobfuscated script content showing the WMI query with DriveType filter. Console output lists all removable drives with DeviceID and volume names.
- Test 3Printer Enumeration via WMIC for Ransom Note Targeting
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'printer' and 'PortName,DriverName'. Security Event ID 4688 with full command line. Microsoft-Windows-WMI-Activity/Operational Event ID 5857 showing the Win32_Printer provider loaded. Output lists all configured printers with network vs local status.
- Test 4Drive Letter Enumeration via fsutil LOLBin
Expected signal: Sysmon Event ID 1: Process Create with Image=fsutil.exe, CommandLine='fsutil fsinfo drives'. Security Event ID 4688 if command line auditing is enabled. Output format: 'Drives: C:\ D:\ E:\' — presence of multiple drives beyond C:\ indicates attached removable or additional storage.
- Test 5USB Device History Extraction from Registry
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'USBSTOR'. Sysmon Event ID 12 or 13: RegistryEvent for HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR registry key queries (if registry monitoring is configured for this path). Security Event ID 4663 if object access auditing is enabled on the USBSTOR registry key. Output contains all USB device classes with vendor IDs, product IDs, and serial numbers.
References (12)
- https://attack.mitre.org/techniques/T1120/
- https://linuxhint.com/list-usb-devices-linux/
- https://ss64.com/osx/system_profiler.html
- https://www.cybereason.com/blog/threat-alert-inc-ransomware
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/90065/
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
- https://www.mandiant.com/resources/blog/roadsweep-ransomware-chimneysweep
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
- https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-diskdrive
- https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-usbhub
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/inf-classinstall32-services-section
- https://www.sans.org/blog/openssh-client-enumeration/
Unlock Pro Content
Get the full detection package for T1120 including response playbook, investigation guide, and atomic red team tests.