Peripheral Device Discovery, Technique T1120 - Enterprise (original) (raw)
AcidPour includes functionality to identify MMC and SD cards connected to the victim device.[3]
ADVSTORESHELL can list connected devices.[4]
APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.[5]
APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. [6]
Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.[7]
BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.[8]
BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[9][10]
Bandook can detect USB devices.[11]
BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.[12]
Cadelspy has the ability to steal information about printers and the documents sent to printers.[13]
CHIMNEYSWEEP can monitor for removable drives.[14]
Crimson has the ability to discover pluggable/removable drives to extract files from.[15][16]
Crutch can monitor for removable drives being plugged into the compromised machine.[17]
DarkWatchman can list signed PnP drivers for smartcard readers.[18]
DustySky can detect connected USB devices.[19]
DynoWiper has enumerated and overwritten files on all removeable and fixed drives.[20]
Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.[21]
Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.[22]
FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.[23]
The FunnyDream FilepakMonitor component can detect removable drive insertion.[24]
Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.[25][26][27]
Heyoka Backdoor can identify removable media attached to victim's machines.[28]
HIUPAN has checked periodically for removable drives and installs itself when a drive is detected.[29][30]
INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.[31]
LockBit 2.0 has the ability to identify mounted external storage devices.[33]
LockBit 3.0 has the ability to discover external storage devices.[34]
Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message.[35]
Mongall can identify removable media attached to compromised hosts.[28]
MoonWind obtains the number of removable drives from the victim.[36]
NightClub has the ability to monitor removable drives.[37]
njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.[38][39]
ObliqueRAT can discover pluggable/removable drives to extract files from.[40]
OilRig has used tools to identify if a mouse is connected to a targeted system.[41]
During Operation CuckooBees, the threat actors used the fsutil fsinfo drives command as part of their advanced reconnaissance.[42]
During Operation Wocao, threat actors discovered removable disks attached to a system.[43]
PlugX can identify removable media attached to compromised hosts.[44]
A module in Prikormka collects information on available printers and disk drives.[45]
QakBot can identify peripheral devices on targeted systems.[46]
QuietSieve can identify and search removable drives for specific file name extensions.[47]
Ragnar Locker may attempt to connect to removable drives and mapped network drives.[48]
Ramsay can scan for removable media which may contain documents for collection.[49][50]
ROADSWEEP can identify removable drives attached to the victim's machine.[14]
RTM can obtain a list of smart card readers attached to the victim.[51][52]
SharpDisco has dropped a plugin to monitor external drives to C:\Users\Public\It3.exe.[37]
Stuxnet enumerates removable drives for infection.[53]
SVCReady can check for the number of devices plugged into an infected host.[54]
T9000 searches through connected drives for removable storage devices.[55]
TajMahal has the ability to identify connected Apple devices.[56]
TeamTNT has searched for attached VGA devices using lspci.[57]
Turian can scan for removable media to collect data.[8]
Turla has used fsutil fsinfo drives to list connected drives.[58]
USBferry can check for connected USB devices.[59]
USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.[60]
Volt Typhoon has obtained victim's screen dimension and display device information.[61]
WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[62]
WastedLocker can enumerate removable drives prior to the encryption process.[63]
Zebrocy enumerates information about connected storage devices.[64]