Description
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.
Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)
Platforms
Mitigations (1)
Limit Hardware InstallationM1034
Block the use of IP-based KVM devices within the network if they are not required.
References
- Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, and Alice Revelli. (2024, September 23). Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Retrieved March 26, 2025.
- Evan Gordenker. (2024, November 13). Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them. Retrieved March 26, 2025.
Frequently Asked Questions
What is T1219.003 (Remote Access Hardware)?
T1219.003 is a MITRE ATT&CK technique named 'Remote Access Hardware'. It belongs to the Command and Control tactic(s). An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or...
How can T1219.003 be detected?
Detection of T1219.003 (Remote Access Hardware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1219.003?
There are 1 documented mitigations for T1219.003. Key mitigations include: Limit Hardware Installation.
Which threat groups use T1219.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.