DET0069: Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)
DET0069 matters because unauthorized USB, Thunderbolt, network, or other hardware additions can turn physical access into enterprise initial access. For le...
Analyst context for executives and security teams
DET0069 matters because unauthorized USB, Thunderbolt, network, or other hardware additions can turn physical access into enterprise initial access. For leaders, the practical question is whether the organization can quickly distinguish approved business hardware from an unexpected device connected to an endpoint or network segment.
Executive priority
Prioritize this where physical access, shared workspaces, branch offices, labs, OT-adjacent areas, or high-value endpoints make hardware trust a business-continuity issue. The decision value is evidence: approved asset inventory, device-control policy, network admission records, and incident response procedures should show that unexpected hardware can be found, triaged, and removed before it becomes an access path.
Technical view
This detection strategy is linked to ATT&CK T1200 Hardware Additions under Initial Access, with the related technique listing Windows, Linux, and macOS. Because the supplied ATT&CK object has no official detection text and no strategy-specific platforms or tactics, SOC teams should validate coverage around hardware introduction evidence rather than assume a complete analytic exists. Focus on endpoint device connection events, new hardware identifiers, removable/peripheral changes, Thunderbolt/USB activity where available, and network-side discovery of new or rogue devices.
Likely telemetry
- Endpoint device connection and hardware inventory events
- USB, Thunderbolt, and peripheral attachment logs where available
- EDR or host management records showing new device classes, serials, or drivers
- Network access control, DHCP, switch port, wireless, and asset discovery logs for new devices
- Configuration management or CMDB records for approved hardware
Detection direction
- Baseline approved hardware by user, endpoint, location, and network segment, then alert on unapproved or unusual additions.
- Correlate endpoint attachment events with network admission and asset discovery to catch devices that appear only on one telemetry plane.
- Tune for legitimate IT activity such as imaging, repair, docking stations, labs, and planned hardware refreshes to reduce false positives.
- Validate blind spots for unmanaged endpoints, guest networks, isolated branch offices, and systems without reliable device-control or inventory telemetry.
- Use the T1200 relationship to treat suspicious hardware additions as potential initial-access indicators and escalate when paired with new network presence, driver installation, or unusual authentication activity.
Mitigation priorities
- Maintain an approved hardware inventory and require change records for new devices.
- Apply device-control and peripheral-use policies appropriate to endpoint risk and business need.
- Use network admission controls and asset discovery to identify unauthorized network hardware.
- Strengthen physical security and visitor controls for areas containing sensitive endpoints or network access.
- Document IR procedures for isolating, preserving, and analyzing suspicious hardware without assuming benign use.
Analyst notes and limits
The supplied ATT&CK detection strategy provides a name and relationship to T1200 but no official description or detection logic. This take therefore emphasizes defensible validation areas: inventory, endpoint peripheral visibility, network device discovery, and physical/change correlation.
No official detection text, strategy-specific platforms, or tactics were supplied. The related technique supports initial-access framing and Windows/Linux/macOS context, but local architecture and telemetry determine whether useful detection is possible.
Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1200 | Hardware Additions | This object detects Hardware Additions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4f11dfcba945… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0069Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.