T1680 Local Storage Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let StorageDiscoveryPatterns = dynamic(["logicaldisk", "diskdrive", "win32_volume", "win32_logicaldisk"]);
let PSStorageCmdlets = dynamic(["Get-PSDrive", "Get-Disk", "Get-Volume", "Get-Partition", "Get-PhysicalDisk", "Get-StoragePool"]);
let LinuxStorageCmds = dynamic(["lsblk", "fdisk", "parted", "lshw", "blkid", "lvdisplay", "pvdisplay", "vgdisplay"]);
let CloudStorageCmds = dynamic(["describe-volumes", "describe-instances", "disks list", "disk list"]);
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where (
    (FileName =~ "wmic.exe" and ProcessCommandLine has_any (StorageDiscoveryPatterns))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "volume" and ProcessCommandLine has "get")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (PSStorageCmdlets))
    or (FileName =~ "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume", "list partition"))
    or (FileName =~ "fsutil.exe" and ProcessCommandLine has "fsinfo")
    or (FileName =~ "mountvol.exe")
    or (FileName in~ ("lsblk", "fdisk", "parted", "lshw", "blkid", "df") and ProcessCommandLine has_any (LinuxStorageCmds))
    or (FileName =~ "diskutil" and (ProcessCommandLine has "list" or ProcessCommandLine has "info"))
    or (FileName =~ "system_profiler" and ProcessCommandLine has "SPStorageDataType")
    or (FileName =~ "esxcli" and ProcessCommandLine has "storage")
    or (FileName in~ ("aws", "gcloud", "az") and ProcessCommandLine has_any (CloudStorageCmds))
)
| where InitiatingProcessFileName !in~ ("msiexec.exe", "MsMpEng.exe", "svchost.exe", "services.exe")
| project TimeGenerated, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName,
    ProcessId, InitiatingProcessId
| extend RiskIndicator = case(
    ProcessCommandLine has "wmic" and ProcessCommandLine has "logicaldisk", "WMIC LogicalDisk Enumeration",
    ProcessCommandLine has_any (PSStorageCmdlets), "PowerShell Storage Cmdlet",
    ProcessCommandLine has "diskpart", "DiskPart Storage Enumeration",
    ProcessCommandLine has "esxcli" and ProcessCommandLine has "storage", "ESXi Storage Enumeration",
    ProcessCommandLine has_any (CloudStorageCmds), "Cloud Volume Enumeration",
    "Generic Storage Discovery"
)
| order by TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information
Cloud management platforms and orchestration tools (Terraform, Packer) enumerating volumes during provisioning
Storage monitoring agents and SIEM forwarders checking disk free space for alerting thresholds

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_cmd=lower(CommandLine), lower_img=lower(Image)
| where (
    (like(lower_img, "%wmic.exe") AND (like(lower_cmd, "%logicaldisk%") OR like(lower_cmd, "%diskdrive%") OR like(lower_cmd, "%win32_volume%")))
    OR (match(lower_img, "powershell\.exe|pwsh\.exe") AND (like(lower_cmd, "%get-psdrive%") OR like(lower_cmd, "%get-disk%") OR like(lower_cmd, "%get-volume%") OR like(lower_cmd, "%get-partition%") OR like(lower_cmd, "%get-physicaldisk%")))
    OR (like(lower_img, "%diskpart.exe") AND (like(lower_cmd, "%list disk%") OR like(lower_cmd, "%list volume%") OR like(lower_cmd, "%list partition%")))
    OR (like(lower_img, "%fsutil.exe") AND like(lower_cmd, "%fsinfo%"))
    OR (like(lower_img, "%mountvol.exe"))
)
| where NOT match(lower(ParentImage), "msiexec\.exe|msmpeng\.exe|svchost\.exe")
| eval risk_label=case(
    like(lower_cmd, "%logicaldisk%"), "WMIC LogicalDisk Enum",
    like(lower_cmd, "%get-psdrive%") OR like(lower_cmd, "%get-disk%"), "PowerShell Storage Cmdlet",
    like(lower_cmd, "%list disk%") OR like(lower_cmd, "%list volume%"), "DiskPart Enumeration",
    like(lower_cmd, "%fsinfo%"), "FSUtil Drive Info",
    1=1, "Storage Discovery"
)
| stats count min(_time) as first_seen max(_time) as last_seen values(CommandLine) as commands values(risk_label) as risk_labels by host, User, Image, ParentImage
| where count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - last_seen
| table last_seen, host, User, Image, ParentImage, commands, risk_labels, count

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software (Veeam, Acronis) enumerating volumes prior to backup job execution
IT monitoring agents and Nagios/Zabbix check scripts querying disk free space
Developer tooling and IDE plugins checking available drive space during builds
Windows Update service verifying disk space before applying patches via wmic
Helpdesk remote management tools (ConnectWise, TeamViewer) collecting system inventory

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1680*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information

Google Chronicle / SecOps

yaral

rule detection_t1680 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Local Storage Discovery - T1680"
    severity = "HIGH"
    mitre_attack = "T1680"
    reference = "https://attack.mitre.org/techniques/T1680/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations
System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring
Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information

Local Storage Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections