title: Local Storage Discovery (T1680)
id: df00tech-t1680
status: experimental
description: "This detection identifies adversary attempts to enumerate local drives, disks, volumes, and storage attributes across Windows, Linux, macOS, and ESXi platforms. Attackers use tools such as wmic logicaldisk, Get-PSDrive, lsblk, fdisk, diskutil, esxcli, and cloud CLI commands to gather disk size, free space, volume serial numbers, and partition layouts. Storage discovery is a critical precursor to ransomware encryption (to identify all encryptable volumes), lateral movement targeting network shares, and direct volume access attacks. Groups like TeamTNT and malware families including Cuba ransomware and ZeroCleare have demonstrated this behavior in production incidents."
references:
  - https://attack.mitre.org/techniques/T1680/
  - https://df00tech.com/detections/T1680
author: df00tech
date: 2026/03/20
tags:
  - attack.t1680
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup agents (Veeam, Commvault, Veritas) routinely enumerate disk volumes before backup operations"
  - "System administration scripts and IT automation tools (Ansible, Chef, Puppet) checking disk capacity for health monitoring"
  - Windows disk cleanup utilities and OS maintenance tasks invoking fsutil or wmic for storage information
  - "Cloud management platforms and orchestration tools (Terraform, Packer) enumerating volumes during provisioning"
  - Storage monitoring agents and SIEM forwarders checking disk free space for alerting thresholds
level: medium