AN0283: Analytic 0283
Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.
Analyst context for executives and security teams
AN0283 is a Linux detection analytic focused on suspicious access to input devices such as /dev/input/* or evdev by processes that do not appear to have a normal GUI context. For leaders, the practical issue is not the device path itself, but whether the organization can notice abnormal local input monitoring on Linux systems where user activity, workstation integrity, or sensitive operational access matters.
Executive priority
Prioritize this analytic where Linux endpoints support administrators, developers, privileged operations, or operational technology workflows. It can help validate whether endpoint monitoring covers lower-level device access rather than only process starts and network activity. The business question is: can the SOC distinguish legitimate desktop/input services from unusual scripts or tools reading keyboard or input-device data, and can incident responders prove what happened if such activity appears?
Technical view
For SOC and detection teams, validate visibility into Linux process activity and file/device access involving /dev/input/* and evdev. The analytic’s key decision point is context: suspicious processes lacking GUI context. Teams should define what legitimate GUI/session-related processes look like in their Linux estate, then alert on scripts, interpreters, automation tools, or unexpected binaries accessing input device interfaces outside that baseline. ATT&CK does not provide a detection query or tactic mapping for this object, so local engineering is required.
Likely telemetry
- Linux process execution telemetry, including command line, executable path, parent process, user, and session context
- File or device access telemetry for /dev/input/* and evdev-related interfaces
- Audit or endpoint sensor events showing process-to-device access relationships
- User login/session and GUI context indicators, where available
- Host inventory identifying Linux systems where GUI input devices are expected versus headless servers
Detection direction
- Baseline legitimate Linux GUI/input services before alerting broadly, because desktop environments and accessibility/input components may access these devices normally.
- Look for unexpected scripts, interpreters, unsigned or unknown binaries, or service-context processes accessing /dev/input/* without an interactive GUI session.
- Separate workstation-like Linux systems from headless servers; access to input devices may have different significance and false-positive profiles in each environment.
- Tune for process lineage, user context, and session type rather than device path alone.
- Because no official detection logic is supplied, validate any implementation with local benign activity and incident-response review criteria.
Mitigation priorities
- Restrict unnecessary local access to Linux input devices through least privilege and appropriate device permissions.
- Harden Linux endpoint monitoring so process execution and sensitive device access can be correlated.
- Review which users, services, and automation accounts can access physical or virtual input devices.
- Apply administrative separation for privileged Linux workstations and systems used for sensitive operations.
- Document expected GUI/input access patterns as compliance and incident-response evidence where Linux endpoint integrity is in scope.
Analyst notes and limits
This object is a detection analytic, not a technique description. It is limited to Linux and specifically references access to /dev/input/* or evdev by suspicious processes lacking GUI context. No ATT&CK tactics, relationships, aliases, labels, or official detection query were supplied, so this take emphasizes validation questions and telemetry requirements rather than claiming specific adversary behavior or coverage.
No relationship context, tactic mapping, or official detection logic was provided. Effectiveness depends on local Linux telemetry, endpoint sensor capability, GUI/session context, and environment-specific baselines. This summary does not claim active exploitation, attribution, impact, or guaranteed detection.
Analytic 0283
Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8fbee8b6b0f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0283Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.