T1200 - Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Asset management systems may help with the detection of computer systems or network devices that should not exist on a network.

Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.

Shield Active Defense

Isolation

Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.

Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets.

Opportunity

There is an opportunity to test hardware additions in an isolated environment and ensure they can’t be used by an adversary.

Use Case

A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors.

Procedures

Unplug an infected system from the network and disable any other means of communication. Run all user applications in isolated containers to prevent a compromise from expanding beyond the container’s boundaries.