Skip to content

T1200 Hardware Additions

Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.1243

Item Value
ID T1200
Tactics TA0001
Platforms Linux, Windows, macOS
Version 1.6
Created 18 April 2018
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0105 DarkVishnya DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.6


ID Mitigation Description
M1035 Limit Access to Resource Over Network Establish network access control policies, such as using device certificates and the 802.1x standard. 5 Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
M1034 Limit Hardware Installation Block unknown devices and accessories by endpoint security configuration and monitoring agent.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0016 Drive Drive Creation
DS0029 Network Traffic Network Traffic Flow