T1219.003 Remote Access Hardware
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.
Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).21
| Item | Value |
|---|---|
| ID | T1219.003 |
| Sub-techniques | T1219.001, T1219.002, T1219.003 |
| Tactics | TA0011 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 26 March 2025 |
| Last Modified | 02 May 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1034 | Limit Hardware Installation | Block the use of IP-based KVM devices within the network if they are not required. |
References
-
Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, and Alice Revelli. (2024, September 23). Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Retrieved March 26, 2025. ↩
-
Evan Gordenker. (2024, November 13). Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them. Retrieved March 26, 2025. ↩