T1200Techniqueinitial-accessagent-callable

T1200Hardware Additions

Platforms: Windows · Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)

ATT&CK tactics· 1

Initial Access

References

  1. https://attack.mitre.org/techniques/T1200
  2. https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
  3. https://www.youtube.com/watch?v=lDvf4ScWbcQ
  4. https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/
  5. https://www.youtube.com/watch?v=fXthwl6ShOg
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.