Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. Adversary-in-the-Middle) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1200 | Hardware Additions |
| AC-3 | Access Enforcement | Protects | T1200 | Hardware Additions |
| AC-6 | Least Privilege | Protects | T1200 | Hardware Additions |
| MP-7 | Media Use | Protects | T1200 | Hardware Additions |
| SC-41 | Port and I/O Device Access | Protects | T1200 | Hardware Additions |