ATTACK-T1219.003Active

Remote Access Hardware

Statement

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.

Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)

Location

Tactic: Command and Control

Technique Details

Identifier: ATTACK-T1219.003
Parent Technique: ATTACK-T1219
ATT&CK Page: View on MITRE

Tactics

Command And Control

Platforms

LinuxmacOSWindows

Detection

Detect Remote Access via USB Hardware (TinyPilot, PiKVM)

Mitigations

Limit Hardware Installation: Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:

Disable USB Ports and Hardware Installation Policies:

Use Group Policy Objects (GPO) to disable USB mass storage devices:
- Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Deny write and read access to USB devices.
Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

Set strong passwords for BIOS/UEFI access.
Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

Use Windows Device Manager Policies to block installation of unapproved drivers.
Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
Restrict hardware pairing to approved devices only.

Logging and Monitoring:

Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

Tools for Implementation

USB and Device Control:

Microsoft Group Policy Objects (GPO)
Microsoft Defender for Endpoint
Symantec Endpoint Protection
McAfee Device Control

Endpoint Monitoring:

EDRs
OSSEC (open-source host-based IDS)

Hardware Whitelisting:

BitLocker for external drives (Windows)
Windows Device Installation Policies
Device Control

BIOS/UEFI Security:

Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

No cross-framework mappings available

← Back to Command and Control

Disable USB Ports and Hardware Installation Policies:

Use Group Policy Objects (GPO) to disable USB mass storage devices:
- Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Deny write and read access to USB devices.
Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

Set strong passwords for BIOS/UEFI access.
Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

Use Windows Device Manager Policies to block installation of unapproved drivers.
Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
Restrict hardware pairing to approved devices only.

Logging and Monitoring:

Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

Tools for Implementation

USB and Device Control:

Microsoft Group Policy Objects (GPO)
Microsoft Defender for Endpoint
Symantec Endpoint Protection
McAfee Device Control

Endpoint Monitoring:

EDRs
OSSEC (open-source host-based IDS)

Hardware Whitelisting:

BitLocker for external drives (Windows)
Windows Device Installation Policies
Device Control

BIOS/UEFI Security:

Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

Remote Access Hardware

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Remote Access Hardware

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0