Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping [1], network traffic modification (i.e. Adversary-in-the-Middle) [2], keystroke injection [3], kernel memory reading via DMA [4], addition of new wireless access to an existing network [5], and others.
| ID | Name | Description |
|---|---|---|
| G0105 | DarkVishnya |
DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1035 | Limit Access to Resource Over Network |
Establish network access control policies, such as using device certificates and the 802.1x standard. [7] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. |
| M1034 | Limit Hardware Installation |
Block unknown devices and accessories by endpoint security configuration and monitoring agent. |
Asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.