| ID | Name |
|---|---|
| T1219.001 | IDE Tunneling |
| T1219.002 | Remote Desktop Software |
| T1219.003 | Remote Access Hardware |
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.
Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).[1][2]
| ID | Mitigation | Description |
|---|---|---|
| M1034 | Limit Hardware Installation |
Block the use of IP-based KVM devices within the network if they are not required. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0159 | Detect Remote Access via USB Hardware (TinyPilot, PiKVM) | AN0446 |
Detection of USB-based remote access hardware (e.g., TinyPilot, PiKVM) attached to the host via drive or peripheral enumeration, triggering vendor identifiers or unusual EDID announcements. |
| AN0447 |
Insertion of USB-based hardware proxies (e.g., PiKVM) which register under predictable names (e.g., tinypilot) or mount under known paths (e.g., /opt/tinypilot-privileged). |
||
| AN0448 |
Attachment of hardware-backed USB KVM devices (e.g., TinyPilot) that enumerate new HID or serial communication interfaces with identifiable metadata. |