Skip to content

DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)

Item Value
ID DET0069
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1200 (Hardware Additions)

Analytics

Windows

AN0185

Chain: (1) a new external device is recognized by Windows (USB/Thunderbolt/PCIe) or a new block device appears; (2) within a short window, the same user/session spawns processes or the OS mounts a new volume; (3) optional follow-on activity such as HID keystroke injection, DMA driver load, or new network interface MAC on DHCP. Correlate Security EID 6416 / Kernel-PnP with sysmon and DHCP/network metadata.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Security EventCode=6416
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Drive Creation (DC0042) WinEventLog:System Kernel-PnP 410/400 device install, disk added
Network Traffic Flow (DC0078) wineventlog:dhcp DHCP Lease Granted
Mutable Elements
Field Description
TrustedDeviceVIDPID Vendor/Product IDs that are approved (e.g., keyboards, mice). Unknown/rare VID:PID raise risk.
ExpectedBusTypes Allow-listed bus types for server classes (e.g., USB disabled on DCs).
TimeWindow Correlation window between device recognition and follow-on process/mount/network activity (e.g., 10m–60m).
TrustedMACs Known NIC/USB-NIC MAC addresses allowed by policy.

Linux

AN0186

Chain: (1) udev / kernel logs show hot-plug (USB/Thunderbolt/PCIe); (2) block device created by udisks/diskarbitration; (3) optional: new network interface or DHCP lease observed. Correlate /var/log/messages|syslog, auditd SYSCALL open/creat on /dev, and DHCP/Zeek.

Log Sources
Data Component Name Channel
Drive Creation (DC0042) auditd:SYSCALL mknod,open,openat
Application Log Content (DC0038) linux:syslog usb * new
Network Traffic Flow (DC0078) NSM:Flow LEASE_GRANTED
Mutable Elements
Field Description
BlocklistDeviceStrings Indicators such as ‘RubberDucky’, ‘BadUSB’, unfamiliar USB-NIC chipsets.
ServerClassesNoUSB Hosts where any USB attach should alert (DCs, hypervisors).
DHCPVlanScopes Scopes allowed to issue leases for corp endpoints vs. guest/IoT.

macOS

AN0187

Chain: (1) unified logs report IOUSBHost/IOThunderbolt device arrival; (2) diskarbitrationd attaches a new volume; (3) optional: config profile manipulation or new network interface MAC obtains a lease. Correlate unifiedlogs (subsystems: IOUSBHost, IOKit, diskarbitrationd), FSEvents, and DHCP/Zeek.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Device attached
Drive Creation (DC0042) macos:unifiedlog mounted
Network Traffic Flow (DC0078) NSM:Flow MAC not in allow-list acquiring IP (DHCP)
Mutable Elements
Field Description
ManagedUSBPolicy MDM profile expectations for external media and Thunderbolt mode; deviations alert.
KnownAppleAccessories VID/PID for corporate-issued docks/keyboards.