Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1569: Analytic 1569

Detects abnormal HID device enumeration via I/O Registry (ioreg -p IOUSB) and keystroke injection targeting AppleScript, osascript, or PowerShell equivalents. Defender correlates new USB device connections with rapid script execution.

EnterpriseAN1569AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because a newly connected USB HID device followed quickly by script execution on macOS can indicate risky hands-on-keyboard or device-assisted activity that bypasses purely network-focused controls. For leaders, the decision value is whether the organization can prove it sees physical peripheral changes and the immediate command/script activity that may follow.

Executive priority

Prioritize this where macOS endpoints are material to business operations, privileged administration, engineering, executive users, or regulated workflows. The key governance question is whether endpoint monitoring and incident response playbooks cover the physical-to-digital gap: new USB device connection, rapid automation via AppleScript or osascript, and timely escalation. This can support audit evidence for endpoint monitoring and physical access control assumptions, but local telemetry must validate coverage.

Technical view

The supplied analytic is macOS-specific and describes detecting abnormal HID device enumeration through I/O Registry, such as `ioreg -p IOUSB`, correlated with rapid script execution targeting AppleScript, `osascript`, or PowerShell equivalents. SOC and detection teams should validate whether endpoint telemetry records new USB/HID device connections, I/O Registry enumeration, process creation, command-line arguments, parent-child process context, and timing between device connection and script execution. No ATT&CK tactic or relationship context was supplied, so triage should be driven by local asset criticality, user context, and whether the script execution is expected administrative activity.

Likely telemetry

  • macOS endpoint process creation events
  • Command-line arguments for processes such as ioreg and osascript
  • USB and HID device connection or enumeration events
  • I/O Registry access or output related to IOUSB where available
  • Script execution telemetry for AppleScript and osascript

Detection direction

  • Validate that macOS telemetry includes both sides of the correlation: new USB/HID device activity and rapid script execution.
  • Tune timing thresholds carefully; legitimate administrators, developers, accessibility tools, hardware testing, and device-management workflows may generate similar patterns.
  • Prioritize alerts when HID enumeration is followed by unexpected AppleScript, osascript, or similar automation on sensitive hosts or under privileged users.
  • Confirm whether command-line collection is enabled; without it, `ioreg -p IOUSB` and script intent may be difficult to distinguish from benign activity.
  • Account for blind spots on unmanaged Macs, privacy-restricted telemetry, incomplete USB event logging, or endpoint tools that record process execution but not peripheral changes.

Mitigation priorities

  • Establish or verify endpoint monitoring for macOS USB/HID events and script execution before relying on this analytic operationally.
  • Limit unnecessary script execution capability and administrative privileges on macOS endpoints based on role and business need.
  • Use device control or peripheral governance where appropriate for sensitive workstations, while documenting approved exceptions.
  • Harden incident response procedures to include collection of USB device history, process execution history, user context, and physical access context.
  • Review physical access assumptions for high-value macOS systems, especially where local device interaction could affect business-critical workflows.
Analyst notes and limits

The object is a detection analytic, not a technique, and provides a short behavioral description only. There are no supplied tactics, relationships, aliases, labels, or official detection logic. The most useful operational interpretation is a correlation use case for macOS HID enumeration and rapid script execution.

This take uses only the supplied ATT&CK fields and external reference. It does not assert active exploitation, adversary attribution, impact, or existing detection coverage. Actual value depends on local macOS telemetry, endpoint management scope, approved peripheral use, and normal administrative scripting patterns.

Official MITRE ATT&CK definition

Analytic 1569

Detects abnormal HID device enumeration via I/O Registry (ioreg -p IOUSB) and keystroke injection targeting AppleScript, osascript, or PowerShell equivalents. Defender correlates new USB device connections with rapid script execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d10684cd4bd58854...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d10684cd4bd5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1569
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use