Remote Access Tools: Remote Access Hardware (T1219.003)

Tactic: Command and Control · Platforms: Linux, macOS, Windows

The interactive view maps 1 detection strategy, 1 mitigation to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Remote Access Tools (T1219).

Overview

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.

Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).

Explore