AN0244: Analytic 0244
Detects non-system processes accessing /dev/input/* or issuing ptrace/evdev syscalls used for reading keystroke buffers directly.
Analyst context for executives and security teams
This analytic matters because Linux keystroke access by non-system processes can indicate attempts to observe sensitive user input, including credentials or administrative commands. For executives and security leaders, the decision value is whether Linux endpoints and servers have enough endpoint telemetry to distinguish legitimate input-handling software from unusual processes interacting with /dev/input/* or related syscall activity.
Executive priority
Prioritize this as a validation point for Linux endpoint visibility and identity-risk reduction. If administrative workstations, jump hosts, developer systems, or other Linux assets are in scope, leaders should ask whether the SOC can prove collection and review of process access to input devices and ptrace/evdev-related behavior. This can support incident readiness, audit evidence for monitoring controls, and risk decisions around privileged access environments.
Technical view
For SOC, detection engineering, and IR teams, validate telemetry on Linux systems for non-system processes accessing /dev/input/* and for ptrace/evdev syscall activity associated with reading keystroke buffers. Because no ATT&CK tactic or official detection logic is supplied, teams should treat this as a detection objective rather than a complete rule. Baseline legitimate software that may access input devices, then tune for unusual process names, paths, users, parent processes, execution context, and timing.
Likely telemetry
- Linux process execution and parent/child process metadata
- File or device access events for /dev/input/*
- Syscall telemetry covering ptrace and evdev-related activity where available
- User/session context for processes accessing input devices
- Endpoint security or audit logs from Linux hosts
Detection direction
- Confirm that Linux telemetry actually captures access to /dev/input/*, not just command execution.
- Differentiate expected system or desktop input components from non-system processes accessing input devices.
- Tune for context: process path, signer/package provenance where available, user account, parent process, and whether the host is a workstation, server, or privileged access system.
- Review false positives from accessibility tools, remote desktop agents, input managers, troubleshooting utilities, or legitimate monitoring software.
- Use this analytic as a coverage test because the supplied ATT&CK object does not provide full detection logic or relationship context.
Mitigation priorities
- Restrict unnecessary local access to input device files through least privilege and host hardening.
- Limit ptrace capability and similar process-inspection permissions where operationally feasible.
- Apply stronger controls on privileged Linux workstations and administrative jump hosts, where captured keystrokes could have higher business impact.
- Maintain approved software inventories so unusual input-device access by non-system processes is easier to investigate.
- Ensure incident response playbooks include Linux credential exposure assessment when suspicious input-device access is observed.
Analyst notes and limits
The supplied object is a detection analytic for Linux only. It focuses on non-system process access to /dev/input/* and ptrace/evdev syscall behavior associated with reading keystroke buffers. No tactic, technique relationship, adversary relationship, or official detection query was provided, so local engineering is required to convert this into an operational alert.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of supplied relationships. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Applicability depends on the organization’s Linux asset population, endpoint telemetry depth, and ability to separate legitimate input-handling processes from suspicious ones.
Analytic 0244
Detects non-system processes accessing /dev/input/* or issuing ptrace/evdev syscalls used for reading keystroke buffers directly.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | da60d50db953… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0244Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.