1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices and components connected to a computer system.", 6 "from": "now-9m", 7 "index": [ 8 "winlogbeat-*", 9 "logs-endpoint.events.*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Peripheral Device Discovery", 15 "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"fsinfo\" and process.args : \"drives\"\n", 16 "risk_score": 21, 17 "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", 18 "severity": "low", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Windows", 23 "Threat Detection", 24 "Discovery" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0007", 31 "name": "Discovery", 32 "reference": "https://attack.mitre.org/tactics/TA0007/" 33 }, 34 "technique": [ 35 { 36 "id": "T1120", 37 "name": "Peripheral Device Discovery", 38 "reference": "https://attack.mitre.org/techniques/T1120/" 39 } 40 ] 41 } 42 ], 43 "timestamp_override": "event.ingested", 44 "type": "eql", 45 "version": 3 46} 47