Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0491: Peripheral Device Enumeration via System Utilities and API Calls

DET0491 is a detection strategy for spotting attempts to enumerate peripheral devices through system utilities and API calls. The business value is not jus...

EnterpriseDET0491Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0491 is a detection strategy for spotting attempts to enumerate peripheral devices through system utilities and API calls. The business value is not just finding device inventory commands; it is identifying when an actor is building situational awareness about attached resources such as removable storage, printers, cameras, keyboards, or smart card readers. That matters because peripheral awareness can shape follow-on decisions during an intrusion, especially in environments where removable media, identity devices, or cyber-physical peripherals affect operations.

Executive priority

Treat this as a coverage question for discovery behavior across endpoints. Leaders should ask whether SOC and IR teams can prove visibility into peripheral discovery on systems where attached devices create operational, identity, data-loss, or compliance risk. Priority is highest where removable storage, smart card readers, cameras, printers, or other attached devices are material to business operations or regulated workflows.

Technical view

The supplied ATT&CK relationship states that DET0491 detects T1120 Peripheral Device Discovery, a discovery technique across Linux, macOS, and Windows. Because the detection strategy object itself has no official detection text and no platform field, teams should validate coverage against the related technique rather than assume a complete analytic exists. Practical validation should focus on whether endpoint telemetry captures system utility execution, command-line context, and relevant API or OS-level device enumeration activity associated with peripheral discovery.

Likely telemetry

  • Endpoint process creation events for system utilities used to inspect attached devices
  • Command-line arguments and parent/child process context for enumeration activity
  • OS or EDR telemetry showing API calls or system interfaces used for device enumeration
  • Hardware, USB, removable storage, printer, camera, smart card reader, or other peripheral inventory/change events where available
  • User, host, and session context to distinguish administrative inventory activity from unusual discovery

Detection direction

  • Map detections to T1120 Peripheral Device Discovery and test across Linux, macOS, and Windows where those platforms are in scope.
  • Tune for unusual peripheral enumeration by non-administrative users, unexpected processes, scripts, or activity occurring outside normal IT inventory workflows.
  • Correlate enumeration with surrounding discovery behavior, removable media access, privilege context, or suspicious process lineage rather than alerting only on a single benign utility name.
  • Account for false positives from asset inventory, device management, help desk troubleshooting, print support, endpoint management, and compliance scanning.
  • Identify blind spots where command-line logging, endpoint API telemetry, or peripheral inventory events are not collected or are unavailable on specific operating systems.

Mitigation priorities

  • First, establish an authoritative baseline of expected peripheral inventory and administrative enumeration workflows.
  • Ensure endpoint logging and EDR policies retain process, command-line, user, and device-change context needed for investigation.
  • Limit unnecessary access to sensitive peripherals such as removable storage or identity-related devices where business policy allows.
  • Use allowlisting, device control, or administrative privilege governance where peripheral misuse would create material operational or compliance risk.
  • Document detection coverage and known gaps as compliance and incident response evidence, especially for systems with sensitive attached devices.
Analyst notes and limits

The object is a detection strategy, not a technique, and its official description and detection fields are not provided. The most useful context comes from its relationship to T1120 Peripheral Device Discovery and the strategy name, which references system utilities and API calls. Local baselines are essential because legitimate IT operations commonly enumerate peripherals.

No official MITRE detection logic, data sources, platforms, tactics, or detailed analytic conditions were supplied for DET0491. Platform references come from the related T1120 technique, not from the detection strategy object itself. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Peripheral Device Enumeration via System Utilities and API Calls

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1120 Peripheral Device Discovery This object detects Peripheral Device Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1120: Peripheral Device Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f25850269b396038...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f25850269b39…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0491
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use