AN0448: Analytic 0448
Attachment of hardware-backed USB KVM devices (e.g., TinyPilot) that enumerate new HID or serial communication interfaces with identifiable metadata.
Analyst context for executives and security teams
This analytic is about recognizing when a macOS system has a hardware-backed USB KVM device attached, such as a device that appears as new HID or serial interfaces with identifiable metadata. For leaders, the significance is not malware detection; it is control over physical access paths that can bypass many network-centric assumptions. If sensitive workstations can accept unexpected input or serial devices, incident response and audit teams need evidence showing whether device attachment is monitored and governed.
Executive priority
Prioritize this where macOS endpoints support privileged administration, sensitive data handling, production operations, or regulated workflows. The key business question is whether the organization can prove that unexpected physical-interface devices are detected, investigated, and controlled. This matters for endpoint hardening, insider-risk investigations, physical security coordination, and compliance evidence around removable or peripheral device governance.
Technical view
SOC and IR teams should validate whether macOS telemetry captures USB attachment events, newly enumerated HID devices, and serial communication interfaces, including device metadata sufficient to distinguish expected peripherals from unusual KVM-class hardware. Because the ATT&CK object provides no official detection logic, teams should treat this as a validation requirement rather than a ready-made rule. Build baselines for approved keyboards, mice, docks, adapters, and administrative tools before alerting on uncommon HID or serial interface changes.
Likely telemetry
- macOS USB device attachment and enumeration records
- HID interface creation or change events
- Serial communication interface creation or change events
- Device metadata such as vendor, product, class, interface, and serial identifiers where available
- Endpoint security, EDR, MDM, or device-control logs that record peripheral attachment
Detection direction
- Confirm that macOS endpoints actually record USB, HID, and serial interface attachment events with usable metadata.
- Baseline approved peripherals by device role and workstation group to reduce false positives from legitimate keyboards, mice, hubs, docks, and adapters.
- Tune detections toward newly observed or rare HID/serial devices on sensitive macOS assets, especially where physical access should be restricted.
- Correlate device-attachment timing with user presence, login activity, administrative sessions, or incident timelines when available.
- Document telemetry gaps explicitly because the ATT&CK object does not include official detection logic or related tactics.
Mitigation priorities
- Define policy for approved USB, HID, and serial peripherals on sensitive macOS systems.
- Use endpoint management or device-control capabilities, where available, to restrict or alert on unapproved peripheral classes or identifiers.
- Coordinate with physical security for systems where local device attachment represents material risk.
- Maintain an inventory or allowlist of expected peripherals for high-value macOS assets.
- Include peripheral-attachment evidence in incident response collection and compliance readiness reviews.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe hardware-backed USB KVM-style devices that enumerate HID or serial interfaces with identifiable metadata. No tactics, relationships, or official detection text were supplied, so the practical value is in validating telemetry coverage and governance for physical-interface events.
No official detection logic, tactic mapping, relationship context, attribution, impact statement, or active exploitation claim is provided in the supplied object. Local endpoint logging, MDM/EDR capability, approved-device inventory, and physical-access model are required to determine coverage and priority.
Analytic 0448
Attachment of hardware-backed USB KVM devices (e.g., TinyPilot) that enumerate new HID or serial communication interfaces with identifiable metadata.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7a44dd8821d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0448Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.