T1120 Sumo Logic CSE · Sumo

Detect Peripheral Device Discovery in Sumo Logic CSE

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions — ransomware families identify removable drives for encryption and printers for ransom note delivery, RATs enumerate cameras and Bluetooth devices for surveillance capability profiling, and APT groups map USB storage history to understand data exfiltration opportunities.

MITRE ATT&CK

Tactic
Discovery
Technique
T1120 Peripheral Device Discovery
Canonical reference
https://attack.mitre.org/techniques/T1120/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" EventID=1
| where (
    (toLower(Image) matches "*\\wmic.exe" and (
      toLower(CommandLine) matches "*logicaldisk*" or
      toLower(CommandLine) matches "*diskdrive*" or
      toLower(CommandLine) matches "*usbhub*" or
      toLower(CommandLine) matches "*usbcontroller*" or
      toLower(CommandLine) matches "*physicalmedia*" or
      toLower(CommandLine) matches "*cdromdrive*" or
      toLower(CommandLine) matches "*win32_usb*" or
      toLower(CommandLine) matches "*pnpentity*" or
      toLower(CommandLine) matches "*printer*"
    ))
    or ((toLower(Image) matches "*\\powershell.exe" or toLower(Image) matches "*\\pwsh.exe") and (
      toLower(CommandLine) matches "*win32_usbhub*" or
      toLower(CommandLine) matches "*win32_usbcontroller*" or
      toLower(CommandLine) matches "*win32_diskdrive*" or
      toLower(CommandLine) matches "*get-pnpdevice*" or
      toLower(CommandLine) matches "*win32_logicaldisk*" or
      toLower(CommandLine) matches "*win32_printer*" or
      toLower(CommandLine) matches "*win32_cdromdrive*" or
      toLower(CommandLine) matches "*win32_pnpentity*" or
      toLower(CommandLine) matches "*driveinfo*" or
      toLower(CommandLine) matches "*get-volume*" or
      toLower(CommandLine) matches "*get-disk*"
    ))
    or (toLower(Image) matches "*\\fsutil.exe" and toLower(CommandLine) matches "*fsinfo drives*")
    or (toLower(Image) matches "*\\reg.exe" and (
      toLower(CommandLine) matches "*usbstor*" or
      toLower(CommandLine) matches "*enum\\usb*"
    ))
)
| if (toLower(CommandLine) matches "*(usbhub|usbcontroller|win32_diskdrive|usbstor)*", "USB_Device",
    if (toLower(CommandLine) matches "*(printer|win32_printer|printerconfiguration)*", "Printer",
    if (toLower(CommandLine) matches "*(logicaldisk|fsinfo drives|driveinfo|get-volume|get-disk|physicalmedia)*", "Drive_Enumeration",
    if (toLower(CommandLine) matches "*(pnpdevice|pnpentity|cdromdrive|sounddevice)*", "PnP_Device",
    if (toLower(CommandLine) matches "*(usbstor|enum.usb)*", "USB_Registry_Enum",
    "General_Peripheral"))))) as EnumerationType
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, EnumerationType
| sort by _messagetime desc
medium severity high confidence

Detects peripheral device enumeration activity on Windows endpoints via Sysmon process creation events. Identifies tools and command patterns used to query USB devices, printers, disk drives, and PnP devices — a common precursor to data exfiltration, ransomware staging, or hardware-based surveillance.

Data Sources

Sumo Logic with Windows SysmonSumo Logic Cloud SIEMWindows Event Log via Sumo Logic Installed Collector

Required Tables

windows/sysmon

False Positives & Tuning

  • Enterprise device management agents (e.g., JAMF, BigFix, PDQ Inventory) that perform periodic hardware discovery using WMI
  • Backup software enumerating available drives and removable media to determine backup targets or exclusions
  • Endpoint security products performing hardware attestation or USB device allowlisting checks
Download portable Sigma rule (.yml)

Other platforms for T1120

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1USB Hub and Disk Enumeration via WMIC

    Expected signal: Sysmon Event ID 1: Two Process Create events with Image=wmic.exe. First CommandLine contains 'Win32_USBHub' and 'DeviceID,Name,Description'. Second CommandLine contains 'Win32_DiskDrive' and 'MediaType' and 'Removable Media'. Security Event ID 4688 (if command line auditing enabled) for both executions. Microsoft-Windows-WMI-Activity/Operational shows the WMI namespace queries.

  2. Test 2Removable Drive Discovery via PowerShell WMI and PnP

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'DriveType', 'eq 2', and 'Get-PnpDevice'. PowerShell ScriptBlock Log Event ID 4104 with full deobfuscated script content showing the WMI query with DriveType filter. Console output lists all removable drives with DeviceID and volume names.

  3. Test 3Printer Enumeration via WMIC for Ransom Note Targeting

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'printer' and 'PortName,DriverName'. Security Event ID 4688 with full command line. Microsoft-Windows-WMI-Activity/Operational Event ID 5857 showing the Win32_Printer provider loaded. Output lists all configured printers with network vs local status.

  4. Test 4Drive Letter Enumeration via fsutil LOLBin

    Expected signal: Sysmon Event ID 1: Process Create with Image=fsutil.exe, CommandLine='fsutil fsinfo drives'. Security Event ID 4688 if command line auditing is enabled. Output format: 'Drives: C:\ D:\ E:\' — presence of multiple drives beyond C:\ indicates attached removable or additional storage.

  5. Test 5USB Device History Extraction from Registry

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'USBSTOR'. Sysmon Event ID 12 or 13: RegistryEvent for HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR registry key queries (if registry monitoring is configured for this path). Security Event ID 4663 if object access auditing is enabled on the USBSTOR registry key. Output contains all USB device classes with vendor IDs, product IDs, and serial numbers.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1082System Information DiscoveryT1083File and Directory DiscoveryT1074.001Local Data StagingT1052.001Exfiltration over USBT1025Data from Removable MediaT1091Replication Through Removable MediaT1135Network Share DiscoveryT1033System Owner/User DiscoveryT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections