AN1354: Analytic 1354
Enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces in proximity to collection or mounting behavior.
Analyst context for executives and security teams
This analytic matters because Linux peripheral enumeration can be an early signal that someone or something is checking what USB or other hardware is attached before collecting data or mounting devices. For leaders, the decision value is not the command names alone; it is whether the organization can see Linux host activity around removable media and distinguish routine administration from behavior that may precede data movement or physical-access-related risk.
Executive priority
Prioritize this where Linux systems support sensitive operations, regulated data, engineering environments, kiosks, shared workstations, or locations where USB and peripheral use affects business continuity or audit expectations. Executives should ask whether Linux endpoint logging, removable-media controls, and incident response playbooks can prove what hardware was present, who accessed it, and whether enumeration occurred near collection or mounting activity.
Technical view
For SOC and IR teams, validate visibility into Linux commands and file/interface access associated with udevadm, lshw, /sys, and /proc when they occur near evidence of collection or mounting behavior. Because the ATT&CK object provides no official detection logic and no relationship context, this should be treated as a detection validation target rather than a ready-made rule. Analysts should focus on correlation, timing, user context, host role, and whether the activity is expected for administrators, inventory tooling, or hardware management processes.
Likely telemetry
- Linux process execution telemetry, including command line where available
- Audit or endpoint telemetry showing access to /sys and /proc hardware-related interfaces
- Mount and removable media events on Linux hosts
- User, privilege, and session context for the process performing enumeration
- Host inventory or configuration-management activity to identify expected lshw or udevadm usage
Detection direction
- Baseline legitimate udevadm, lshw, /sys, and /proc hardware enumeration by administrators, monitoring agents, and inventory tools before alerting broadly.
- Correlate enumeration with nearby collection or mounting behavior, as the supplied description makes proximity to those behaviors the meaningful context.
- Prioritize unusual users, unusual hosts, interactive sessions, privileged execution, or first-seen command patterns rather than treating every hardware query as malicious.
- Tune for Linux only; no other platforms are supported by the supplied object.
- Document blind spots where endpoint process telemetry, command-line capture, mount events, or /sys and /proc access visibility are missing.
Mitigation priorities
- Confirm Linux endpoint logging and audit policy can capture process execution, relevant command lines, user context, and mount/removable-media activity.
- Define and enforce policy for authorized USB and peripheral use on sensitive Linux systems where business or compliance risk justifies it.
- Maintain allowlists or baselines for approved hardware inventory and administration tools to reduce false positives.
- Include peripheral enumeration plus mounting or collection context in incident response triage procedures.
- Use findings to support compliance evidence around removable media monitoring and host activity logging where applicable.
Analyst notes and limits
The object is a detection analytic, AN1354, for Linux. It describes enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces, especially when near collection or mounting behavior. No tactics, official detection text, aliases, labels, or relationships were supplied, so the take emphasizes validation and telemetry requirements rather than a specific detection rule.
Assessment is limited to the supplied ATT&CK fields and external reference. There is no official detection logic, no related technique or campaign context, and no evidence of active exploitation or attribution in the provided data. Local baselines are required to separate normal administration or inventory activity from suspicious behavior.
Analytic 1354
Enumeration of USB and other peripheral hardware via udevadm, lshw, or /sys or /proc interfaces in proximity to collection or mounting behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3dceb5255f6a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1354Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.