Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects endpoints from introduction of hardware additions through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| DE.CM-01.04 | Unauthorized device connection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protection from hardware additions through the use of tools to detect and block the use of unauthorized or unknown devices and accessories by endpoint security configuration and monitoring.
References
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects against Hardware Additions through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects against Hardware Additions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| MP-07 | Media Use | mitigates | T1200 | Hardware Additions | |
| SC-41 | Port and I/O Device Access | mitigates | T1200 | Hardware Additions | |
| AC-20 | Use of External Systems | mitigates | T1200 | Hardware Additions | |
| AC-03 | Access Enforcement | mitigates | T1200 | Hardware Additions | |
| AC-06 | Least Privilege | mitigates | T1200 | Hardware Additions |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.vector.Physical access | Physical access or connection (i.e., at keyboard or via cable) | related-to | T1200 | Hardware Additions |