# T1120 Peripheral Device Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * macOS

  * Linux

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Data Sources:

  * **Command:** Command Execution

  * **Process:** OS API Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used an executable to detect removable media, such as USB flash drives.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 April 2021)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have contained an application to check performance of USB flash drives. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)| 
| Equation | [Equation](https://attack.mitre.org/groups/G0020) has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.(Citation: Kaspersky Equation QA)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>fsutil fsinfo drives</code> to list connected drives.(Citation: ESET ComRAT May 2020)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1120)

  * [Capec](https://capec.mitre.org/data/definitions/646.html)

  * [Peripheral Discovery Linux](https://linuxhint.com/list-usb-devices-linux/), Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.

  * [Peripheral Discovery Macos](https://ss64.com/osx/system_profiler.html), SS64. (n.d.). system_profiler. Retrieved March 11, 2022.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will attempt to gather information about attached peripheral devices and components connected to a computer system.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | 1 | |
| APT28 | 1 | |

#### Turla 
- has used fsutil fsinfo drives to list connected drives.

#### APT28	
- uses a module to receive a notification every time a USB mass storage device is inserted into a victim.
- ADVSTORESHELL (backdoor used by APT28) can list connected devices (Sedreco payload command 17).
- USBStealer (malware used by APT28) monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system. (See reference links for detailed steps)
- Zebrocy (Trojan used by APT28) enumerates information about connected storage devices. (via systemingo & tasklist)

## Detection Blindspots

- Information Here

## Analytical References

  * [ESET Turla ComRAT 2020 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)
  * [Microsoft Security Intelligence Report Volume 19 (microsoft)](http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf)
  * [ESET Sednit Part 2 2016 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Sednit Espionage Group Attacking Air Gapped Networks 2014 (welivesecurity)](https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/)
  * [Sofacy Continues Global Attacks Wheels New Cannon Trojan (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/)
  * [Windows cmd Commands (ionos)](https://www.ionos.com/digitalguide/server/know-how/windows-cmd-commands/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment.
- Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
- Remote access tools with built-in features may interact directly with the Windows API to gather information.
- Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

#### Analytic 1

  * **Information:** Turla has used fsutil fsinfo drives to list connected drives.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : fsutil.exe```

#### Analytic 2

  * **Information:** Zebrocy (Trojan used by APT28) enumerates information about connected storage devices. (via systeminfo & tasklist)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : systeminfo.exe or tasklist.exe```

#### Analytic 3

  * **Information:** Windows commands for enumeration

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Common commands
      -   net: network utility
      -   set: Displays environmental variables of CMD.EXE and lets you configure them.[SystemDrive will show drive letter]
      -   tree: Graphically displays the directory structure of a drive or path.
      -   mountvol: Creates and deletes mount points for drives and displays them. [ex: mountvol /? Will show possible values along with current mount points]
      -   vol: Displays the label and serial number of a drive.
      -   vssadmin: Manages the volume shadow copy services that can be used to store different versions (snapshots) of drives. [ex: vssadmin List Volumes]

  * **Query:** `process.name : net.exe or net1.exe or set.exe or tree.exe or mountvol.exe or vol.exe or vssadmin.exe or wmic.exe`




-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

