Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0185: Analytic 0185

Chain: (1) a new external device is recognized by Windows (USB/Thunderbolt/PCIe) or a new block device appears; (2) within a short window, the same user/session spawns processes or the OS mounts a new volume; (3) optional follow-on activity such as HID keystroke injection, DMA driver load, or new network interface MAC on DHCP. Correlate Security EID 6416 / Kernel-PnP with sysmon and DHCP/network metadata.

EnterpriseAN0185AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0185 is a Windows-focused detection analytic for spotting the operational moment when a newly connected external device is recognized and quickly leads to activity such as process execution, volume mounting, possible HID keystroke injection, DMA-related driver loading, or a new network interface appearing on DHCP. For leaders, the value is not the device event alone; it is whether the organization can correlate endpoint and network evidence fast enough to distinguish normal peripheral use from device-driven intrusion risk.

Executive priority

Prioritize this analytic where unmanaged peripherals, removable media, docking stations, Thunderbolt/PCIe devices, or temporary network adapters could affect business continuity, incident containment, or compliance evidence. Executives should ask whether Windows device events, endpoint process telemetry, and DHCP/network metadata are retained and correlated by user/session. Without that correlation, SOC and IR teams may see isolated device or process events but miss the short-window chain that makes the behavior material.

Technical view

Validate coverage on Windows by correlating new external device recognition or new block device appearance with near-term process spawning or OS volume mounting by the same user/session. Where available, enrich with follow-on indicators named in the analytic: HID-like keystroke activity, DMA driver load, or a new network interface MAC observed through DHCP/network metadata. The supplied ATT&CK object does not define tactics or a separate detection procedure, so implementation should be treated as a correlation analytic requiring local baselining of normal device onboarding, helpdesk activity, docking behavior, and authorized removable storage usage.

Likely telemetry

  • Windows Security Event ID 6416 device recognition events
  • Windows Kernel-PnP events
  • Sysmon endpoint telemetry, especially process creation and device-related context where configured
  • Windows volume mount or new block device evidence
  • DHCP logs showing new network interface MAC activity

Detection direction

  • Confirm the SOC can correlate device recognition, volume mount, process creation, and DHCP/network metadata within a short time window by the same user or session.
  • Tune for high-noise business workflows such as docking stations, approved USB storage, hardware refreshes, conference-room peripherals, and IT support activity.
  • Prioritize alerts where the device event is followed by process execution, new volume mounting, new network interface DHCP activity, or driver-load behavior rather than alerting on every new device alone.
  • Validate blind spots around endpoints without Sysmon or equivalent process telemetry, missing Windows Security EID 6416 collection, incomplete Kernel-PnP visibility, and DHCP logs not mapped back to host/user context.
  • Because no ATT&CK relationships are supplied, avoid assuming a specific technique, campaign, actor, or impact path without local evidence.

Mitigation priorities

  • Establish or review policy for authorized external devices, removable media, docking/Thunderbolt/PCIe use, and temporary network adapters.
  • Ensure Windows endpoint logging and DHCP/network metadata retention are sufficient for incident reconstruction.
  • Where business requirements allow, apply device control and least-privilege policies to reduce unauthorized peripheral use and driver-loading exposure.
  • Document approved hardware workflows so SOC teams can suppress expected activity while preserving visibility into unusual device-to-process chains.
  • Include this scenario in incident response playbooks so analysts know how to collect host, user/session, mounted-volume, driver, and DHCP evidence during triage.
Analyst notes and limits

The main decision value is correlation: a new device event is common, but a new device followed quickly by process execution, mounting, driver activity, or DHCP appearance can justify investigation. This analytic is especially useful for validating whether endpoint and network teams share enough context for device-originated incidents.

The supplied ATT&CK object has no tactics, no relationship context, and no official detection text beyond the analytic description. It supports Windows only. Local baselines, retention settings, and approved peripheral inventories are required before severity, coverage, or false-positive expectations can be determined.

Official MITRE ATT&CK definition

Analytic 0185

Chain: (1) a new external device is recognized by Windows (USB/Thunderbolt/PCIe) or a new block device appears; (2) within a short window, the same user/session spawns processes or the OS mounts a new volume; (3) optional follow-on activity such as HID keystroke injection, DMA driver load, or new network interface MAC on DHCP. Correlate Security EID 6416 / Kernel-PnP with sysmon and DHCP/network metadata.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
01c2269478974855...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 01c226947897…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0185
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use