An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.
Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DCS-09 | Equipment Identification | mitigates | T1219.003 | Remote Access Hardware |
Comments
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. This control enforces equipment identification as part of connection authentication, mitigating attacker techniques such as device spoofing, rogue device connections, and unauthorized network access through unverified or compromised hardware. Blocking unknown devices and accessories by endpoint security configuration and monitoring agent can help with blocking this technique.
References
|