Remote Access Tools: Remote Access Hardware

Other sub-techniques of Remote Access Tools (3)

ID	Name
T1219.001	IDE Tunneling
T1219.002	Remote Desktop Software
T1219.003	Remote Access Hardware

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.

Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).^[1]^[2]

ID: T1219.003

Sub-technique of: T1219

ⓘ

Tactic: Command and Control

ⓘ

Platforms: Linux, Windows, macOS

Contributors: Joe Gumke, U.S. Bank; Michael Davis, ServiceNow Threat Intelligence; Shwetank Murarka

Version: 1.0

Created: 26 March 2025

Last Modified: 02 May 2025

Version Permalink

Live Version

Mitigations

ID	Mitigation	Description
M1034	Limit Hardware Installation	Block the use of IP-based KVM devices within the network if they are not required.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0016	Drive	Drive Creation	Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. For example, by default TinyPilot declares its manufacturer name as `tinypilot` and its serial number as `6b65796d696d6570690` within the `/opt/tinypilot-privileged/init-usb-gadget` directory. It also announces itself as `TinyPilot` within its EDID (Extended Display Identification Data).^[3] Analytic 1 - USB Device Enumeration `(sourcetype="WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational" OR sourcetype="syslog")(EventCode=2003 OR EventCode=2100 OR message="tinypilot" OR message="TinyPilot")\| eval timestamp=_time\| table timestamp, host, user, DeviceClass, FriendlyName, VendorID, ProductID, SerialNumber\| sort by timestamp desc`

DS0016

Drive

Drive Creation

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. For example, by default TinyPilot declares its manufacturer name as tinypilot and its serial number as 6b65796d696d6570690 within the /opt/tinypilot-privileged/init-usb-gadget directory. It also announces itself as TinyPilot within its EDID (Extended Display Identification Data).^[3]

Analytic 1 - USB Device Enumeration

(sourcetype="WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational" OR sourcetype="syslog")(EventCode=2003 OR EventCode=2100 OR message="tinypilot" OR message="TinyPilot")| eval timestamp=_time| table timestamp, host, user, DeviceClass, FriendlyName, VendorID, ProductID, SerialNumber| sort by timestamp desc

References

TinyPilot. (n.d.). Can anyone detect when I'm using TinyPilot?. Retrieved March 26, 2025.