1. Home
  2. Techniques
  3. Enterprise
  4. Hardware Additions

Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.[1][2][3][4]

ID: T1200
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: Linux, Windows, macOS
Version: 1.6
Created: 18 April 2018
Last Modified: 30 March 2023
Version Permalink

Procedure Examples

ID Name Description
G0105 DarkVishnya

DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[5]

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Establish network access control policies, such as using device certificates and the 802.1x standard. [6] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
M1034 Limit Hardware Installation

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
DS0016 Drive Drive Creation

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.
DS0029 Network Traffic Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

References

  1. Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.
  2. Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.
  3. Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.
  1. Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.
  2. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  3. Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.