T1200: Hardware Additions

Hardware Additions is an initial access technique where an adversary physically introduces a device or accessory into an environment to create a new path into systems or networks. For leaders, the key issue is not just “USB risk”; it is whether physical access, endpoint hardware policy, and network access controls are coordinated well enough to stop or quickly identify an unapproved device that changes the trust boundary.

Executive priority

Prioritize this where physical access to offices, branches, data centers, trading floors, labs, or operational sites could translate into network access. The business question is whether facilities controls, endpoint controls, network segmentation, and incident response procedures produce auditable evidence that only approved hardware can connect or operate. This matters for resilience because a small unauthorized device can become an initial-access foothold before traditional SOC alerts have enough context.

Technical view

ATT&CK maps T1200 to Initial Access across Windows, Linux, and macOS. MITRE does not provide official detection text, so teams should validate coverage against the related detection strategy DET0069 for unauthorized or suspicious hardware additions across USB, Thunderbolt, and network-connected devices. SOC and IR teams should test whether they can identify newly attached peripherals, driver or device installation events, unexpected network interfaces, rogue network hardware, and new wireless access points. Because ATT&CK references capabilities such as passive network tapping, traffic modification, keystroke injection, DMA-style access, and added wireless access points, defenders should treat this as a combined physical, endpoint, and network visibility problem rather than an endpoint-only use case.

Likely telemetry

Endpoint device insertion and hardware inventory records for Windows, Linux, and macOS systems
USB, Thunderbolt, peripheral, and driver installation or usage logs where available
Endpoint security tool events for blocked or newly observed hardware
Network access control, switch port, DHCP, ARP, and asset discovery records for newly connected devices
Wireless monitoring or inventory evidence for unapproved access points

Detection direction

Validate whether DET0069-style logic is implemented for unauthorized or suspicious USB, Thunderbolt, and network hardware additions.
Correlate new device observations with approved asset inventories, known user activity, location, and physical access records to reduce false positives from legitimate peripherals or IT maintenance.
Tune for high-risk patterns such as previously unseen network devices, unexpected interfaces on endpoints, unapproved wireless infrastructure, or hardware appearing in sensitive locations.
Account for blind spots: MITRE provides no official detection guidance for T1200, and hardware that passively taps traffic or operates outside managed endpoints may not generate endpoint alerts.
Use the relationship to DarkVishnya as threat-intelligence context only; do not assume local exposure or current activity without environment-specific evidence.

Mitigation priorities

Start with M1034: limit hardware installation through policy and technical controls such as restricting unapproved peripherals, disabling unnecessary ports where appropriate, restricting driver installation, and monitoring/blocking unapproved devices.
Apply M1035: limit access to network resources so that a newly connected or unauthorized device cannot freely reach file shares, remote systems, or sensitive services without a legitimate business requirement.
Maintain an approved hardware and network asset inventory that SOC, IT, and facilities teams can use during triage.
Coordinate physical security, visitor/vendor management, endpoint control, and network access processes so hardware introduction is treated as an initial-access risk, not only a facilities issue.
Prepare IR playbooks for suspected unauthorized hardware that include containment, evidence preservation, network review, and physical location checks.

Analyst notes and limits

Public ATT&CK references for threat actor usage are described as scarce, while red teams and penetration testers commonly use this class of technique. The supplied relationship shows DarkVishnya used this technique and identifies the group as financially motivated with historical targeting of Eastern European financial institutions in 2017-2018. That relationship is useful for scenario planning, especially in financial environments, but it should not be generalized into claims of current exploitation.

The ATT&CK object has no official detection text, no procedure details beyond the supplied group relationship, and no environment-specific indicators. Coverage depends heavily on local physical security, endpoint management, network access control, wireless monitoring, and asset inventory quality.

Official MITRE ATT&CK definition

Hardware Additions

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.

While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. Adversary-in-the-Middle), keystroke injection, kernel memory reading via DMA, addition of new wireless access points to an existing network, and others.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

G0105: DarkVishnya

DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]

Relationship explorer

All related ATT&CK context

uses · Group G0105: DarkVishnya Enterprise mitigates · Mitigation M1035: Limit Access to Resource Over Network Enterprise detects · Detection Strategy DET0069: Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) Enterprise mitigates · Mitigation M1034: Limit Hardware Installation Enterprise

Mitigations

Mitigation direction

M1035: Limit Access to Resource Over Network

Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:

Audit and Restrict Access:

- Regularly audit permissions for file shares, network services, and remote access tools. - Remove unnecessary access and enforce least privilege principles for users and services. - Use Active Directory and IAM tools to restrict access based on roles and attributes.

Deploy Secure Remote Access Solutions:

- Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections. - Configure access controls to restrict connections based on time, device, and user identity. - Enforce MFA for all remote access mechanisms.

Disable Unnecessary Services:

- Identify running services using tools like netstat (Windows/Linux) or Nmap. - Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface. - Use firewall rules to block traffic on unused ports and protocols.

Network Segmentation and Isolation:

- Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access. - Restrict communication between subnets to prevent lateral movement.

Monitor and Log Access:

- Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools. - Enable auditing and logging for successful and failed attempts to access restricted resources.

*Tools for Implementation*

File Share Management:

- Microsoft Active Directory Group Policies - Samba (Linux/Unix file share management) - AccessEnum (Windows access auditing tool)

Secure Remote Access:

- Microsoft Remote Desktop Gateway - Apache Guacamole (open-source RDP/VNC gateway) - Zero Trust solutions: Tailscale, Cloudflare Zero Trust

Service and Protocol Hardening:

- Nmap or Nessus for network service discovery - Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols - iptables or firewalld (Linux) for blocking unnecessary traffic

Network Segmentation:

- pfSense for open-source network isolation

M1034: Limit Hardware Installation

Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:

Disable USB Ports and Hardware Installation Policies:

- Use Group Policy Objects (GPO) to disable USB mass storage devices: - Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. - Deny write and read access to USB devices. - Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

- Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware. - Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

- Set strong passwords for BIOS/UEFI access. - Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

- Use Windows Device Manager Policies to block installation of unapproved drivers. - Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

- Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems. - Restrict hardware pairing to approved devices only.

Logging and Monitoring:

- Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager). - Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

*Tools for Implementation*

USB and Device Control:

- Microsoft Group Policy Objects (GPO) - Microsoft Defender for Endpoint - Symantec Endpoint Protection - McAfee Device Control

Endpoint Monitoring:

- EDRs - OSSEC (open-source host-based IDS)

Hardware Whitelisting:

- BitLocker for external drives (Windows) - Windows Device Installation Policies - Device Control

BIOS/UEFI Security:

- Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.7
Created: Apr 18, 2018, 17:59 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 31cfa6fe47a01460...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.7	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`31cfa6fe47a0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Ossmann Star Feb 2011

Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018.
Open source URL
[2]
Aleks Weapons Nov 2015

Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018.
Open source URL
[3]
Frisk DMA August 2016

Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018.
Open source URL
[4]
McMillan Pwn March 2012

Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.
Open source URL
[5]
mitre-attack T1200
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams