Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1568: Analytic 1568

Detects USB HID device enumeration under `/sys/bus/usb/devices/` and rapid keystroke injection resulting in command execution such as bash or Python scripts launched without interactive user activity.

EnterpriseAN1568AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious USB keyboard-like device activity on Linux: a USB HID device appears under `/sys/bus/usb/devices/`, followed by rapid keystroke injection that launches commands such as bash or Python scripts without normal interactive user activity. For leaders, the practical issue is physical-to-digital risk: a device that looks like a keyboard can potentially drive system actions quickly, so coverage depends on whether Linux endpoint, USB, and process telemetry are actually collected and correlated.

Executive priority

Prioritize this where Linux systems are physically accessible, support sensitive operations, or are part of regulated or cyber-physical environments. The decision value is validating whether the organization can produce evidence of USB device enumeration, correlate it to unusual command execution, and respond quickly when activity is not tied to an authorized user workflow. This can inform physical access controls, endpoint logging investment, SOC use cases, and incident response procedures for suspected rogue peripheral activity.

Technical view

SOC and detection teams should validate Linux visibility for USB HID enumeration under `/sys/bus/usb/devices/` and correlate it with process execution events showing bash or Python scripts launched in a short time window without expected interactive user activity. Because the ATT&CK object provides no tactic mapping, relationship context, or detailed detection logic, local baselining is required to define what constitutes rapid keystrokes, normal peripheral changes, and legitimate automation. IR teams should be prepared to preserve endpoint logs, USB device metadata, process trees, timestamps, user session context, and any available physical access evidence.

Likely telemetry

  • Linux USB device enumeration data, especially activity visible under `/sys/bus/usb/devices/`
  • USB HID device connection and metadata records where available
  • Endpoint process execution telemetry for bash, Python, and script launches
  • User session or interactive login context to distinguish human activity from non-interactive execution
  • Command-line, parent/child process, and timestamp data for correlation

Detection direction

  • Correlate new or unusual USB HID enumeration with rapid subsequent command execution on Linux endpoints.
  • Tune around legitimate keyboards, maintenance peripherals, lab workflows, and approved automation to reduce false positives.
  • Validate whether endpoint telemetry can show absence of expected interactive user activity; without that context, detections may be noisy or incomplete.
  • Use process trees and command-line timing to distinguish normal shell use from scripted or bursty execution following USB activity.
  • Document blind spots where Linux hosts do not collect USB, process, command-line, or session telemetry.

Mitigation priorities

  • Start with asset scoping: identify Linux systems where physical USB access creates material business, operational, or safety risk.
  • Strengthen physical access controls and administrative procedures for sensitive Linux endpoints.
  • Review endpoint logging configuration so USB enumeration, process execution, command line, and user session context are available for investigation.
  • Where operationally feasible, apply device control or peripheral governance policies for unauthorized USB HID devices.
  • Add incident response playbooks for suspected rogue USB activity, including host isolation decision points, evidence preservation, and physical security coordination.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and includes a concise description but no official detection logic and no relationship context. The main defensible interpretation is Linux-focused detection of USB HID enumeration followed by rapid command execution without interactive user activity. Glexia would treat this as a telemetry validation and response-readiness use case rather than proof of existing exposure or compromise.

Tactics are not specified, no relationships are supplied, and the official detection field is not provided. This take cannot infer affected non-Linux platforms, adversary attribution, active exploitation, impact, or guaranteed detection coverage. Local baselines, endpoint logging configuration, and physical access context are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 1568

Detects USB HID device enumeration under `/sys/bus/usb/devices/` and rapid keystroke injection resulting in command execution such as bash or Python scripts launched without interactive user activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5beba550e6d1e147...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5beba550e6d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1568
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use