Unauthorized USB HID Device Connections

Monitor endpoints for the connection of new or unexpected USB Human Interface Devices (HID), such as keyboards or mice, that were not previously associated with the system.

Hardware-based remote access devices, including IP-KVM platforms, commonly emulate standard USB HID peripherals in order to inject keyboard and mouse input into a host system. When connected, the operating system enumerates these devices as generic keyboards or mice and loads standard HID drivers, allowing input to be delivered without specialized software.

The appearance of additional or previously unseen HID devices (particularly on systems where peripherals rarely change) may indicate the installation of hardware capable of injecting input or maintaining covert remote interaction with the endpoint.

Detection Methods

• Collect USB device connection telemetry from endpoint detection and response (EDR) platforms, operating system logs, or device monitoring tools.
• Alert on the connection of new HID-class devices, particularly generic USB keyboards or mice that were not previously associated with the endpoint.
• Investigate situations where multiple keyboard or mouse devices are enumerated simultaneously on a workstation.
• Review HID device connections occurring outside normal working hours or during periods when no authorized individual is expected to interact with the system.
• Record and analyze device metadata including vendor ID (VID), product ID (PID), device class identifiers, and descriptor strings to identify previously unseen peripherals.
• Compare newly detected HID devices against approved peripheral inventories or known hardware baselines where such inventories exist.

Prioritize investigation on systems where peripheral configurations are expected to remain static, such as corporate laptops, developer workstations, or systems operating in controlled environments.

Investigative Notes

Hardware-based remote access devices frequently identify themselves as generic HID peripherals, making them difficult to distinguish from legitimate input devices through simple enumeration alone.

Investigators should review the timing and context of device connection events, including whether the subject was physically present at the system when the device was attached. Correlating HID connection timestamps with physical access logs, workstation location, or building entry records may help determine whether the device connection was authorized.

Unexpected HID device connections on sensitive or high-value systems may indicate the presence of hardware designed to inject commands or enable covert remote interaction with the endpoint.