AN0446: Analytic 0446
Detection of USB-based remote access hardware (e.g., TinyPilot, PiKVM) attached to the host via drive or peripheral enumeration, triggering vendor identifiers or unusual EDID announcements.
Analyst context for executives and security teams
This analytic concerns Windows hosts detecting USB-based remote access hardware such as TinyPilot or PiKVM through drive/peripheral enumeration, vendor identifiers, or unusual EDID announcements. For leaders, the significance is that a small physical device can create an out-of-band access path that may bypass normal remote access, identity, and network monitoring assumptions. The practical question is whether the organization can notice unexpected hardware appearing on critical workstations, administrator systems, kiosks, or operational endpoints.
Executive priority
Prioritize this as a control-validation and incident-readiness issue where physical access to Windows systems is plausible. It supports decisions around device control, endpoint telemetry retention, physical security procedures, and audit evidence for hardware inventory governance. Security leaders should ask whether SOC and IR teams can prove when new USB peripherals or display-related devices appeared, which systems are allowed to use them, and how exceptions are reviewed.
Technical view
For Windows coverage, validate collection and correlation of host evidence showing USB drive/peripheral enumeration, vendor identifiers, and EDID/display announcements. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat it as a detection engineering starting point rather than a complete rule. Focus on identifying unexpected vendor strings, newly enumerated USB or HID-class devices, drive-like attachments, and unusual EDID values on systems where such hardware is not expected.
Likely telemetry
- Windows device installation and Plug and Play events
- USB peripheral and removable drive enumeration records
- Endpoint hardware inventory and device-control logs
- EDR telemetry for newly attached peripherals
- Display/monitor inventory data including EDID announcements where available
Detection direction
- Baseline approved USB, HID, storage, and display devices for sensitive Windows systems before alerting on anomalies.
- Tune detections around vendor identifiers and unusual EDID announcements, while accounting for legitimate KVMs, docking stations, monitors, lab equipment, and support tooling.
- Prioritize alerts on administrator workstations, shared consoles, physically exposed systems, and systems with weak physical access controls.
- Correlate device enumeration with user logon, physical access records where available, and endpoint asset criticality.
- Document telemetry gaps explicitly, especially if EDID data, USB vendor strings, or device-install events are not centrally collected.
Mitigation priorities
- Establish and enforce an approved peripheral baseline for Windows endpoints, especially high-value systems.
- Use device-control policy and hardware inventory processes to restrict or review unapproved USB and peripheral attachments where operationally feasible.
- Strengthen physical access controls around exposed or sensitive Windows hosts.
- Add incident response procedures for triaging unexpected remote-access hardware indicators, including preservation of device enumeration evidence.
- Maintain audit-ready records showing exception approvals and monitoring coverage for peripheral use.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a full technique. It names Windows as the platform and describes detection via USB drive/peripheral enumeration, vendor identifiers, and unusual EDID announcements for USB-based remote access hardware. No relationships, tactic mapping, or official detection query were supplied, so local baselining and telemetry validation are essential.
This take is limited to the official fields provided. It does not assert active exploitation, attribution, impact, or guaranteed detection. The object does not include detection logic, data-source mappings, mitigations, or related ATT&CK techniques, so implementation details must be validated against the local Windows endpoint environment.
Analytic 0446
Detection of USB-based remote access hardware (e.g., TinyPilot, PiKVM) attached to the host via drive or peripheral enumeration, triggering vendor identifiers or unusual EDID announcements.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8cea708bb3d2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0446Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.