Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0536: Analytic 0536

Drive enumeration using PowerShell (`Get-PSDrive`), `wmic logicaldisk`, or Win32 API indicative of local volume enumeration by non-admin users or executed outside of baseline system inventory scripts.

EnterpriseAN0536AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting Windows drive enumeration that may fall outside normal administration or asset-inventory activity. For leaders, the value is not the command itself; it is whether the organization can distinguish routine endpoint management from unexpected discovery of local volumes by non-admin users. That distinction can support faster triage when suspicious activity appears before broader hands-on-keyboard investigation or data access.

Executive priority

Prioritize this as a coverage-validation item for Windows endpoint visibility and SOC triage quality. Security leaders should ask whether drive enumeration events from PowerShell, WMIC, and relevant Windows API-backed activity are logged, baselined, and reviewable against approved inventory scripts. The business decision value is in reducing ambiguity during incidents: if teams cannot separate authorized system inventory from unusual user-driven enumeration, investigations may be slower and audit evidence weaker.

Technical view

Validate Windows telemetry for execution of PowerShell Get-PSDrive, wmic logicaldisk, and other observable signs of local volume enumeration. Since no ATT&CK tactics or relationships are supplied and no official detection logic is provided, treat AN0536 as an analytic concept rather than a complete rule. SOC and detection teams should compare activity against known system inventory scripts, administrative tooling, service accounts, and expected user roles, with attention to non-admin execution or execution outside approved baselines.

Likely telemetry

  • Windows process creation telemetry for PowerShell and WMIC execution
  • PowerShell logging where available, including command-line or script content that can show Get-PSDrive usage
  • Endpoint detection telemetry that records command line, parent process, user context, and integrity/admin context
  • Asset inventory or systems management job logs used to define approved baseline enumeration activity
  • Windows security or endpoint logs that help distinguish interactive users, service accounts, and scheduled inventory tasks

Detection direction

  • Build or validate logic around Windows drive enumeration using PowerShell Get-PSDrive, wmic logicaldisk, and API-backed endpoint detections where available.
  • Baseline approved inventory scripts and systems management activity before alerting broadly, because legitimate administration can look similar.
  • Prioritize review when enumeration is performed by non-admin users, unusual accounts, unexpected parent processes, or outside known inventory windows.
  • Tune for context rather than command presence alone; false positives are likely from help desk, IT operations, backup, inventory, and compliance tooling.
  • Document gaps where command-line, PowerShell, user context, or endpoint telemetry is not retained, because those gaps directly limit analytic usefulness.

Mitigation priorities

  • Maintain an approved baseline of Windows inventory and administration scripts that legitimately enumerate drives.
  • Restrict and monitor unnecessary use of scripting and legacy administrative tools according to role and business need.
  • Ensure endpoint logging captures process, command-line, user, parent process, and PowerShell details sufficient for triage.
  • Review non-admin users and service accounts that can execute enumeration tooling in sensitive environments.
  • Use this analytic as a validation point in SOC readiness and incident response exercises rather than as a standalone control.
Analyst notes and limits

AN0536 is a detection analytic for Windows drive enumeration, not a full ATT&CK technique entry. The supplied object has no tactics, no relationship context, and no official detection text beyond the description. The strongest use is to test whether local environment baselines and endpoint telemetry can distinguish normal inventory behavior from unusual enumeration.

This take is limited to the supplied official fields. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection coverage. Local tuning requires organization-specific inventory scripts, administrative practices, endpoint logging configuration, and account-role context.

Official MITRE ATT&CK definition

Analytic 0536

Drive enumeration using PowerShell (`Get-PSDrive`), `wmic logicaldisk`, or Win32 API indicative of local volume enumeration by non-admin users or executed outside of baseline system inventory scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6be8e28469de2a22...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6be8e28469de…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0536
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use