AN1567: Analytic 1567
Detects suspicious USB HID device enumeration and keystroke injection patterns, such as rapid sequences of input with no user context, scripts executed through simulated keystrokes, or rogue devices presenting themselves as keyboards.
Analyst context for executives and security teams
This analytic is about spotting Windows systems that may be receiving automated keystrokes from a suspicious USB Human Interface Device, such as a device presenting itself as a keyboard. For leaders, the significance is that this behavior can bypass some network-centric controls because the activity appears as local user input. The practical decision is whether the organization can prove it monitors USB HID enumeration and unusual keystroke-driven execution well enough to support rapid investigation.
Executive priority
Prioritize this where Windows endpoints are exposed to removable devices, shared workspaces, kiosks, operations environments, or other areas where physical access could become a cyber entry point. The business value is not just malware detection; it is validating physical/cyber control assumptions, endpoint telemetry quality, SOC triage readiness, and audit evidence around removable device governance.
Technical view
SOC and detection teams should validate whether Windows endpoint telemetry can identify new USB HID devices, especially devices enumerating as keyboards, and correlate that with rapid input sequences, script or command execution, and lack of normal user context. Because the ATT&CK object provides no formal detection logic, teams should treat this as a detection engineering requirement rather than a ready rule: define local baselines for legitimate keyboard activity, device enrollment, helpdesk activity, and administrative scripting before alerting broadly.
Likely telemetry
- Windows endpoint device enumeration events for USB and HID-class devices
- Device identity metadata such as vendor ID, product ID, serial number, class, and first-seen host/user context
- Endpoint process creation telemetry following new keyboard/HID enumeration
- Script interpreter or shell execution telemetry initiated shortly after device connection
- User session context, logon state, workstation lock state, and foreground activity where available
Detection direction
- Validate collection of USB HID enumeration data on Windows endpoints before writing correlation logic.
- Correlate newly connected keyboard-like devices with rapid command, script, or shell execution shortly afterward.
- Tune for known-good keyboards, docking stations, accessibility devices, barcode scanners, KVMs, and managed peripheral workflows to reduce false positives.
- Review cases where input-driven execution occurs with weak user context, such as no recent interactive activity or activity immediately after device insertion.
- Use this analytic as a hypothesis for managed detection content; the supplied ATT&CK fields do not include tactics, procedures, or a concrete detection query.
Mitigation priorities
- Establish or review removable device and HID peripheral governance for Windows endpoints.
- Maintain an approved device inventory or policy for expected keyboard/HID-class peripherals where operationally feasible.
- Harden endpoint script and command execution controls so simulated keystrokes cannot easily launch unauthorized automation.
- Ensure SOC playbooks include triage steps for suspicious USB HID enumeration followed by local execution activity.
- Coordinate physical security, IT operations, and endpoint security teams for environments where unauthorized device access is plausible.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its value is in forcing a coverage check: can the organization connect physical device attachment to endpoint execution behavior quickly enough for investigation? It is especially relevant for endpoint monitoring, incident response readiness, removable media policy evidence, and physical/cyber convergence discussions.
The supplied ATT&CK data includes a description, Windows platform scope, and external reference, but no official detection logic, no tactics, and no relationship context. Local telemetry availability, endpoint policy, allowed peripherals, and user workflows are required to determine practical detection quality.
Analytic 1567
Detects suspicious USB HID device enumeration and keystroke injection patterns, such as rapid sequences of input with no user context, scripts executed through simulated keystrokes, or rogue devices presenting themselves as keyboards.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 54c9efdbebfc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1567Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.