Peripheral Device Discovery

Peripheral Device Discovery [T1120]

Information

Name: Peripheral Device Discovery
ID: T1120
Tactics:

Introduction

Peripheral Device Discovery (T1120) is a recognized technique within the MITRE ATT&CK framework under the Discovery tactic. Attackers utilize this technique to identify peripheral devices connected to compromised systems, such as USB drives, printers, webcams, microphones, and other external hardware. By enumerating these devices, adversaries gain valuable intelligence about the target environment, potentially enabling further exploitation, lateral movement, data exfiltration, or espionage operations.

Deep Dive Into Technique

Peripheral Device Discovery involves attackers enumerating external or peripheral hardware devices attached to compromised hosts. This enumeration typically leverages built-in operating system utilities or specialized command-line tools to identify and catalog connected peripherals.

Attackers commonly execute this technique using the following methods:

Windows-based Enumeration Methods:
- devicequery command via Windows Management Instrumentation Command-line (WMIC):
  wmic path Win32_PnPEntity get Caption, DeviceID, Manufacturer
- PowerShell commands:
  Get-PnpDevice -PresentOnly | Select-Object FriendlyName, InstanceId, Manufacturer
- Utilizing built-in Windows utilities such as Device Manager (devmgmt.msc) or querying the registry at:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Linux-based Enumeration Methods:
- Listing connected USB devices using lsusb:
  lsusb
- Enumerating connected peripheral devices via dmesg or /var/log/syslog:
  dmesg | grep usb
- Inspecting device files under /dev:
  ls -l /dev | grep sd
macOS-based Enumeration Methods:
- Using system_profiler utility:
  system_profiler SPUSBDataType
- Checking connected devices via ioreg:
  ioreg -p IOUSB

Attackers might automate these commands within scripts or malware payloads to efficiently gather peripheral device information. Data collected typically includes device names, manufacturers, serial numbers, and connection types.

When this Technique is Usually Used

Peripheral Device Discovery is commonly employed during multiple stages of the attack lifecycle, including:

Initial Access and Reconnaissance:
- Attackers enumerate peripheral devices early in the attack lifecycle to gather information about potential entry points or exploitable hardware.
- Identifying external storage devices (USB drives, external HDDs) that may contain sensitive data or malware delivery paths.
Privilege Escalation and Persistence:
- Discovering peripheral devices that can be leveraged for privilege escalation, such as vulnerable driver installations or misconfigured devices.
- Identifying devices (e.g., printers, webcams, microphones) that attackers can misuse for surveillance or data theft.
Lateral Movement and Exfiltration:
- Enumerating connected external storage devices to identify targets for data exfiltration.
- Assessing hardware devices that can facilitate lateral movement, such as network adapters or Bluetooth devices.
Espionage and Surveillance Operations:
- Identifying webcams, microphones, or other surveillance-capable peripherals to enable covert monitoring and espionage.

How this Technique is Usually Detected

Detection of Peripheral Device Discovery involves monitoring and identifying enumeration activities through various methods, including:

Endpoint Detection and Response (EDR) Solutions:
- Monitoring command-line executions and scripts for suspicious enumeration commands such as wmic, lsusb, system_profiler, or PowerShell device queries.
- Detecting unusual system profiler queries or repeated enumeration attempts.
System Logging and Auditing:
- Enabling detailed logging of command-line executions, PowerShell scripts, and WMI activities.
- Analyzing logs for repeated enumeration activities or unauthorized device queries.
Network and Host-based Intrusion Detection Systems (IDS/HIDS):
- Identifying anomalous system calls or queries related to peripheral device enumeration.
- Alerting on unusual scripts or binaries performing device discovery.
Behavioral Analysis and Anomaly Detection:
- Establishing baseline behaviors for legitimate peripheral enumeration activities.
- Detecting deviations from established baselines, such as device queries from unusual user accounts or at unusual times.
Indicators of Compromise (IoCs):
- Suspicious scripts or binaries performing peripheral device enumeration.
- Unusual command-line arguments:
  - wmic path Win32_PnPEntity
  - Get-PnpDevice
  - system_profiler SPUSBDataType
  - lsusb, ioreg, or similar enumeration commands.
- Unexpected log entries in system audit logs related to peripheral enumeration.

Why it is Important to Detect This Technique

Early detection of Peripheral Device Discovery is crucial due to its potential impact on organizational security posture, including:

Data Exfiltration Risks:
- Attackers identifying external storage devices may use them to exfiltrate sensitive data, intellectual property, or personally identifiable information (PII).
Espionage and Surveillance Threats:
- Enumeration of webcams, microphones, and other surveillance-capable devices can lead to unauthorized monitoring and espionage activities, compromising privacy and confidentiality.
Privilege Escalation Opportunities:
- Attackers discovering vulnerable or misconfigured peripheral devices may exploit them to escalate privileges or maintain persistent access.
Lateral Movement Facilitation:
- Peripheral devices like network adapters or Bluetooth devices can provide attackers with opportunities to move laterally within the network.
Early Warning Indicator:
- Detecting peripheral enumeration activities can serve as an early warning indicator of compromise before attackers advance further in the attack lifecycle.

By promptly detecting Peripheral Device Discovery, organizations can proactively mitigate threats, limit attacker capabilities, and reduce overall risk exposure.

Examples

Real-world examples illustrating the use of Peripheral Device Discovery include:

Stuxnet Worm:
- Attack Scenario:
  - Stuxnet targeted Iranian nuclear facilities and enumerated peripheral devices to identify specific Siemens programmable logic controllers (PLCs).
- Tools and Techniques:
  - Custom malware components performing peripheral enumeration to detect connected PLCs.
- Impact:
  - Successful sabotage of centrifuges, causing physical damage and operational disruption.
DarkHotel APT Group:
- Attack Scenario:
  - DarkHotel attackers enumerated connected USB storage devices on hotel guest networks to identify potential targets for data theft.
- Tools and Techniques:
  - Leveraged built-in Windows utilities (wmic) and custom scripts for peripheral enumeration.
- Impact:
  - Theft of sensitive corporate and personal data from targeted executives and business travelers.
FIN7 Cybercrime Group:
- Attack Scenario:
  - FIN7 attackers enumerated peripheral devices to identify point-of-sale (POS) terminals and connected hardware devices in retail environments.
- Tools and Techniques:
  - Custom scripts and malware payloads employing peripheral device enumeration commands to identify POS hardware.
- Impact:
  - Massive financial fraud and theft of payment card data from compromised retail environments.
APT28 (Fancy Bear) Operations:
- Attack Scenario:
  - APT28 enumerated peripheral devices, including webcams and microphones, to conduct espionage operations against targeted individuals and organizations.
- Tools and Techniques:
  - Built-in operating system commands (system_profiler on macOS, lsusb on Linux) and custom malware payloads.
- Impact:
  - Unauthorized surveillance, espionage, and theft of sensitive information from targeted entities.

These examples demonstrate the broad applicability and significant impact of Peripheral Device Discovery across diverse attack scenarios, highlighting the importance of effective detection and mitigation strategies.

Last updated 1 month ago