Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1200 | Hardware Additions |
| AC-3 | Access Enforcement | Protects | T1200 | Hardware Additions |
| AC-6 | Least Privilege | Protects | T1200 | Hardware Additions |
| MP-7 | Media Use | Protects | T1200 | Hardware Additions |
| SC-41 | Port and I/O Device Access | Protects | T1200 | Hardware Additions |
| action.hacking.vector.Physical access | Physical access or connection (i.e., at keyboard or via cable) | related-to | T1200 | Hardware Additions |