Description
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access points to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)
Platforms
Mitigations (2)
Limit Access to Resource Over NetworkM1035
Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
Limit Hardware InstallationM1034
Block unknown devices and accessories by endpoint security configuration and monitoring agent.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) physically connected Bash Bunny, Raspberry Pi, netbooks, and inexpensive laptops to the target or... |
References
- Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.
- Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.
- Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.
- Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.
Frequently Asked Questions
What is T1200 (Hardware Additions)?
T1200 is a MITRE ATT&CK technique named 'Hardware Additions'. It belongs to the Initial Access tactic(s). Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connec...
How can T1200 be detected?
Detection of T1200 (Hardware Additions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1200?
There are 2 documented mitigations for T1200. Key mitigations include: Limit Access to Resource Over Network, Limit Hardware Installation.
Which threat groups use T1200?
Known threat groups using T1200 include: DarkVishnya.