T1219.003SubTechniquecommand-and-control

T1219.003Remote Access Hardware

Sub-technique of T1219

Platforms: Linux · macOS · Windows

ATT&CK version: v19.1

What it is

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)

ATT&CK tactics· 1

Command And Control

References

  1. https://attack.mitre.org/techniques/T1219/003
  2. https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/
  3. https://unit42.paloaltonetworks.com/north-korean-it-workers/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1219.003: Remote Access Hardware | SQUR Knowledge Base