Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping , network traffic modification (i.e. Adversary-in-the-Middle) , keystroke injection , kernel memory reading via DMA , addition of new wireless access to an existing network , and others.
|M1035||Limit Access to Resource Over Network||
Establish network access control policies, such as using device certificates and the 802.1x standard.  Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
|M1034||Limit Hardware Installation||
Block unknown devices and accessories by endpoint security configuration and monitoring agent.
Asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.