Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), man-in-the middle encryption breaking (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), adding new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1200 | Hardware Additions |
| AC-3 | Access Enforcement | Protects | T1200 | Hardware Additions |
| AC-6 | Least Privilege | Protects | T1200 | Hardware Additions |
| MP-7 | Media Use | Protects | T1200 | Hardware Additions |
| SC-41 | Port and I/O Device Access | Protects | T1200 | Hardware Additions |
| CVE-2019-3717 | Dell Client Commercial and Consumer platforms | exploitation_technique | T1200 | Hardware Additions |
| CVE-2019-9019 | n/a | uncategorized | T1200 | Hardware Additions |
| action.hacking.vector.Physical access | Physical access or connection (i.e., at keyboard or via cable) | related-to | T1200 | Hardware Additions |