Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0187: Analytic 0187

Chain: (1) unified logs report IOUSBHost/IOThunderbolt device arrival; (2) diskarbitrationd attaches a new volume; (3) optional: config profile manipulation or new network interface MAC obtains a lease. Correlate unifiedlogs (subsystems: IOUSBHost, IOKit, diskarbitrationd), FSEvents, and DHCP/Zeek.

EnterpriseAN0187AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0187 is a macOS detection analytic for recognizing when a new USB or Thunderbolt device appears, a volume is mounted, and, in some cases, related configuration profile or network-interface activity follows. For security leaders, the value is not that every device insertion is malicious; it is that removable and high-speed peripheral activity can change endpoint state, introduce new storage, or create a new network path. This makes it important for environments where macOS systems handle sensitive data, regulated workflows, or operationally important functions.

Executive priority

Prioritize this analytic where macOS endpoints are in scope for data protection, insider-risk monitoring, incident response readiness, or compliance evidence around removable media and endpoint change control. Leaders should ask whether the organization can prove when external devices are connected, when new volumes mount, and whether a new network interface receives a lease. The decision value is coverage validation: if unified logs, file-system events, and DHCP or Zeek evidence are not retained and correlated, investigations may lack the timeline needed to distinguish routine peripheral use from suspicious endpoint change activity.

Technical view

Validate collection and correlation across the data sources named in the analytic: macOS unified logs for IOUSBHost, IOKit, IOThunderbolt, and diskarbitrationd activity; FSEvents for file-system changes around mounted volumes; and DHCP or Zeek records for a newly introduced network interface obtaining a lease. Because no ATT&CK tactic or relationship context is supplied, treat AN0187 as a detection-building block rather than a complete behavior story. SOC teams should tune around normal device workflows, known enterprise peripherals, approved storage devices, and expected network adapters while preserving high-fidelity timelines for unusual device arrival plus mount plus network or profile-change sequences.

Likely telemetry

  • macOS unified logs from IOUSBHost, IOKit, IOThunderbolt, and diskarbitrationd
  • Disk arbitration or volume mount events for newly attached media
  • FSEvents showing file-system activity on newly mounted volumes
  • DHCP lease records for new network interface MAC addresses
  • Zeek network metadata where available for new interface activity

Detection direction

  • Confirm that macOS unified logs are collected with enough retention to reconstruct device arrival and volume attachment timelines.
  • Correlate device arrival events with diskarbitrationd volume attach events rather than alerting on isolated peripheral activity alone.
  • Where available, enrich with FSEvents to identify whether a mounted volume was accessed or changed after attachment.
  • Validate DHCP or Zeek visibility for new network interface MAC addresses, especially where USB or Thunderbolt network adapters are allowed.
  • Tune expected noise from approved peripherals, docking stations, external drives, and normal IT support activity.

Mitigation priorities

  • Establish policy and governance for approved removable storage, Thunderbolt devices, docks, and external network adapters on macOS systems.
  • Ensure endpoint logging, DHCP logging, and network metadata retention are sufficient for incident reconstruction.
  • Use endpoint management controls to baseline approved configuration profiles and detect unauthorized profile changes where supported.
  • Document normal peripheral use cases so SOC tuning can reduce false positives without suppressing unusual device, mount, and network-interface chains.
  • For regulated or sensitive environments, maintain audit evidence showing that removable media and endpoint configuration changes can be monitored and investigated.
Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique description. Its practical value is in correlating endpoint and network evidence around macOS peripheral activity. The supplied object has no tactic, no official detection text beyond the description, and no relationship context, so local baselines and asset criticality are required to decide severity.

Assessment is limited to the supplied STIX fields, external reference, and absence of relationships. No claim is made about adversary use, active exploitation, impact, or guaranteed detection coverage. The analytic is only supported for macOS in the provided object.

Official MITRE ATT&CK definition

Analytic 0187

Chain: (1) unified logs report IOUSBHost/IOThunderbolt device arrival; (2) diskarbitrationd attaches a new volume; (3) optional: config profile manipulation or new network interface MAC obtains a lease. Correlate unifiedlogs (subsystems: IOUSBHost, IOKit, diskarbitrationd), FSEvents, and DHCP/Zeek.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
64aaa9b37734b091...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 64aaa9b37734…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0187
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use