AN1353: Analytic 1353
Suspicious enumeration of attached peripherals via WMI, PowerShell, or low-level API calls potentially chained with removable device interactions.
Analyst context for executives and security teams
This analytic is about spotting suspicious discovery of peripherals attached to Windows systems, especially when enumeration through WMI, PowerShell, or low-level API calls appears connected to removable device activity. For leaders, the practical issue is visibility: if an attacker or unauthorized tool is checking what devices are connected, the organization may need to understand whether endpoint logging can prove what was queried, by whom, and whether removable media was involved.
Executive priority
Prioritize this as a Windows endpoint visibility and incident readiness question rather than a standalone high-confidence threat indicator. It can support investigations involving removable media, data handling, insider-risk scenarios, or cyber-physical environments where attached peripherals matter. Executives should ask whether SOC and IR teams can reconstruct peripheral enumeration and removable device interactions with enough evidence for containment decisions, compliance questions, and post-incident review.
Technical view
Validate whether Windows telemetry captures process execution and command-line detail for WMI and PowerShell activity, plus evidence of low-level API-driven enumeration where available. Because no official detection logic or ATT&CK relationships are supplied, teams should treat this as a detection concept: correlate peripheral enumeration behavior with removable device events, parent process context, user context, host role, and timing. Tune carefully for legitimate inventory, device management, helpdesk, and endpoint security tooling.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell execution logs and script block/module logging where enabled
- WMI activity logs or telemetry showing queries against device/peripheral classes
- Endpoint detection telemetry for API-level device enumeration where available
- Removable device connection, mount, or access events
Detection direction
- Confirm visibility for WMI and PowerShell-based peripheral enumeration on Windows endpoints.
- Correlate enumeration with removable device connection or interaction events instead of alerting on enumeration alone where legitimate administration is common.
- Baseline known inventory, asset management, helpdesk, and security tools that enumerate peripherals to reduce false positives.
- Review parent processes, execution paths, user roles, host criticality, and timing to distinguish routine management from suspicious activity.
- Identify blind spots where PowerShell logging, WMI telemetry, removable media auditing, or EDR API visibility is absent.
Mitigation priorities
- Ensure endpoint logging is configured to retain sufficient Windows process, PowerShell, WMI, and removable device evidence for investigations.
- Define policy and monitoring expectations for removable media use, especially on sensitive or operationally critical Windows systems.
- Harden and monitor administrative scripting paths so WMI and PowerShell use can be attributed to authorized users and tools.
- Use investigation playbooks that connect peripheral enumeration, removable device activity, user intent, and data handling evidence before escalation.
- Document telemetry coverage and exceptions as compliance and incident readiness evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows with a concise description only. It does not include official detection logic, mapped tactics, mapped techniques, data components, mitigations, or relationship context. The most defensible use is to guide validation of telemetry and correlation around peripheral enumeration and removable device interactions.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of relationships. It does not establish active exploitation, adversary attribution, impact, or guaranteed detectability. Local logging configuration, endpoint tooling, removable media policy, and normal administrative behavior are required to determine practical coverage and alert value.
Analytic 1353
Suspicious enumeration of attached peripherals via WMI, PowerShell, or low-level API calls potentially chained with removable device interactions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 223d1f628195… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1353Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.