Description
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Platforms
Threat Groups (9)
| ID | Group | Context |
|---|---|---|
| G0020 | Equation | [Equation](https://attack.mitre.org/groups/G0020) has used tools with the functionality to search for specific information about the attached hard dri... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bl... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) uses a module to receive a notification every time a USB mass storage device is inserted into a victim.... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>fsutil fsinfo drives</code> to list connected drives.(Citation: ESET ComRAT May 2020) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 A... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has obtained victim's screen dimension and display device information.(Citation: CISA AA24-038A ... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have contained an application to check performance of USB flash drives. [Gamaredon Grou... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used an executable to detect removable media, such as USB flash drives.(Citation: ESET ... |
Associated Software (47)
| ID | Name | Type | Context |
|---|---|---|---|
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) can identify external USB and hard drives for encryption and printers to print ransom notes.... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can map UPnP ports.(Citation: Kaspersky Adwind Feb 2016) |
| S0538 | Crutch | Malware | [Crutch](https://attack.mitre.org/software/S0538) can monitor for removable drives being plugged into the compromised machine.(Citation: ESET Crutch D... |
| S1044 | FunnyDream | Malware | The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can detect removable drive insertion.(Citation: Bitdefender FunnyDr... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can monitor for removable drives.(Citation: Mandiant ROADSWEEP August 2022) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) will attempt to detect if the victim system has a camera during the initial infection. [njRAT](https:... |
| S1026 | Mongall | Malware | [Mongall](https://attack.mitre.org/software/S1026) can identify removable media attached to compromised hosts.(Citation: SentinelOne Aoqin Dragon June... |
| S0113 | Prikormka | Malware | A module in [Prikormka](https://attack.mitre.org/software/S0113) collects information on available printers and disk drives.(Citation: ESET Operation ... |
| S0366 | WannaCry | Malware | [WannaCry](https://attack.mitre.org/software/S0366) contains a thread that will attempt to scan for new attached drives every few seconds. If one is i... |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) enumerates information about connected storage devices.(Citation: Unit42 Cannon Nov 2018) |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: ... |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) can discover pluggable/removable drives to extract files from.(Citation: Talos Oblique RAT March... |
| S0234 | Bandook | Malware | [Bandook](https://attack.mitre.org/software/S0234) can detect USB devices.(Citation: EFF Manul Aug 2016) |
| S1167 | AcidPour | Malware | [AcidPour](https://attack.mitre.org/software/S1167) includes functionality to identify MMC and SD cards connected to the victim device.(Citation: Sent... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2... |
| S0452 | USBferry | Malware | [USBferry](https://attack.mitre.org/software/S0452) can check for connected USB devices.(Citation: TrendMicro Tropic Trooper May 2020) |
| S0149 | MoonWind | Malware | [MoonWind](https://attack.mitre.org/software/S0149) obtains the number of removable drives from the victim.(Citation: Palo Alto MoonWind March 2017) |
| S0062 | DustySky | Malware | [DustySky](https://attack.mitre.org/software/S0062) can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019) |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has a plugin that collects information about inserted storage devices, modems, and phone devices.(Cit... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) can check for the number of devices plugged into an infected host.(Citation: HP SVCReady Jun 2022) |
References
- Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.
- SS64. (n.d.). system_profiler. Retrieved March 11, 2022.
Frequently Asked Questions
What is T1120 (Peripheral Device Discovery)?
T1120 is a MITRE ATT&CK technique named 'Peripheral Device Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macO...
How can T1120 be detected?
Detection of T1120 (Peripheral Device Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1120?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1120?
Known threat groups using T1120 include: Equation, APT37, APT28, Turla, OilRig, TeamTNT, Volt Typhoon, Gamaredon Group.