T1680 Splunk · SPL

Detect Local Storage Discovery in Splunk

This detection identifies adversary attempts to enumerate local drives, disks, volumes, and storage attributes across Windows, Linux, macOS, and ESXi platforms. Attackers use tools such as wmic logicaldisk, Get-PSDrive, lsblk, fdisk, diskutil, esxcli, and cloud CLI commands to gather disk size, free space, volume serial numbers, and partition layouts. Storage discovery is a critical precursor to ransomware encryption (to identify all encryptable volumes), lateral movement targeting network shares, and direct volume access attacks. Groups like TeamTNT and malware families including Cuba ransomware and ZeroCleare have demonstrated this behavior in production incidents.

MITRE ATT&CK

Tactic
Discovery
Technique
T1680 Local Storage Discovery
Canonical reference
https://attack.mitre.org/techniques/T1680/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval lower_cmd=lower(CommandLine), lower_img=lower(Image)
| where (
    (like(lower_img, "%wmic.exe") AND (like(lower_cmd, "%logicaldisk%") OR like(lower_cmd, "%diskdrive%") OR like(lower_cmd, "%win32_volume%")))
    OR (match(lower_img, "powershell\.exe|pwsh\.exe") AND (like(lower_cmd, "%get-psdrive%") OR like(lower_cmd, "%get-disk%") OR like(lower_cmd, "%get-volume%") OR like(lower_cmd, "%get-partition%") OR like(lower_cmd, "%get-physicaldisk%")))
    OR (like(lower_img, "%diskpart.exe") AND (like(lower_cmd, "%list disk%") OR like(lower_cmd, "%list volume%") OR like(lower_cmd, "%list partition%")))
    OR (like(lower_img, "%fsutil.exe") AND like(lower_cmd, "%fsinfo%"))
    OR (like(lower_img, "%mountvol.exe"))
)
| where NOT match(lower(ParentImage), "msiexec\.exe|msmpeng\.exe|svchost\.exe")
| eval risk_label=case(
    like(lower_cmd, "%logicaldisk%"), "WMIC LogicalDisk Enum",
    like(lower_cmd, "%get-psdrive%") OR like(lower_cmd, "%get-disk%"), "PowerShell Storage Cmdlet",
    like(lower_cmd, "%list disk%") OR like(lower_cmd, "%list volume%"), "DiskPart Enumeration",
    like(lower_cmd, "%fsinfo%"), "FSUtil Drive Info",
    1=1, "Storage Discovery"
)
| stats count min(_time) as first_seen max(_time) as last_seen values(CommandLine) as commands values(risk_label) as risk_labels by host, User, Image, ParentImage
| where count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - last_seen
| table last_seen, host, User, Image, ParentImage, commands, risk_labels, count
medium severity medium confidence

Detects Windows storage discovery commands via Sysmon process creation events (EventCode=1), covering wmic logicaldisk enumeration, PowerShell Get-PSDrive/Get-Disk/Get-Volume, DiskPart list commands, and fsutil fsinfo queries. Groups results by host and user to surface burst activity patterns indicative of pre-ransomware reconnaissance.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup software (Veeam, Acronis) enumerating volumes prior to backup job execution
  • IT monitoring agents and Nagios/Zabbix check scripts querying disk free space
  • Developer tooling and IDE plugins checking available drive space during builds
  • Windows Update service verifying disk space before applying patches via wmic
  • Helpdesk remote management tools (ConnectWise, TeamViewer) collecting system inventory
Download portable Sigma rule (.yml)

Other platforms for T1680

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 6 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows WMIC LogicalDisk Enumeration

    Expected signal: DeviceProcessEvents: FileName=wmic.exe, ProcessCommandLine contains 'logicaldisk get'. Security Event 4688 if process creation auditing enabled. Sysmon EventCode=1 with full command line.

  2. Test 2PowerShell Storage Enumeration via Get-Disk and Get-Volume

    Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Get-Disk' and 'Get-Volume'. PowerShell Script Block Logging (Event 4104) will record the script block if enabled. Sysmon EventCode=1.

  3. Test 3DiskPart Volume and Disk Listing

    Expected signal: DeviceProcessEvents: FileName=diskpart.exe with /s flag and temp file path. DeviceFileEvents: temp script file creation in %TEMP%. Security Event 4688 or Sysmon EventCode=1.

  4. Test 4Linux Block Device Enumeration

    Expected signal: Syslog or auditd EXECVE records for lsblk, fdisk, df, blkid. auditd: type=EXECVE msg containing lsblk and fdisk arguments. bash history update.

  5. Test 5ESXi Storage Enumeration via esxcli

    Expected signal: ESXi shell.log (/var/log/shell.log): command execution entries for esxcli storage filesystem list and vim-cmd. Syslog entries if syslog forwarding is configured to a SIEM.

  6. Test 6AWS Cloud Volume Discovery

    Expected signal: AWS CloudTrail: DescribeVolumes and DescribeInstances API calls with sourceIPAddress, userIdentity.arn, and eventTime. CloudTrail log should appear in S3 bucket within 15 minutes.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1680 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1006Direct Volume AccessT1486Data Encrypted for ImpactT1083File and Directory DiscoveryT1057Process DiscoveryT1082System Information DiscoveryT1490Inhibit System RecoveryT1059.001PowerShellT1059.003Windows Command ShellT1059.012Hypervisor CLI

Same Tactic: Discovery

Popular Detections