Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1219.003: Remote Access Hardware

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.

Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).[1][2]

EnterpriseT1219.003Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Remote Access Hardware covers the use of legitimate hardware-based remote access devices, such as IP KVM tools, to create an interactive command-and-control path into Linux, macOS, or Windows systems. The business significance is that this can move remote access outside normal software visibility: a device physically connected to a workstation may provide keyboard, video, and mouse control even when endpoint tools, remote desktop logs, or software allow/block lists look clean.

Executive priority

Treat this as a physical-access and endpoint-control risk, not only a malware or remote access software problem. Leaders should ask whether hardware installation is governed, whether USB/peripheral policy is enforceable, and whether SOC and IR teams can verify suspicious hands-on-keyboard activity when the access path may not appear as a normal remote access application. This is material for operational resilience, insider/contractor governance, audit evidence around device control, and incident scoping where physical or hardware-level access is plausible.

Technical view

ATT&CK places this sub-technique under Remote Access Tools for command-and-control across Linux, macOS, and Windows. Because MITRE provides no official detection text, teams should validate coverage using the related detection strategy DET0159, Detect Remote Access via USB Hardware (TinyPilot, PiKVM), and the related mitigation M1034, Limit Hardware Installation. SOC and IR teams should focus on whether endpoint, device-control, and physical asset processes can identify newly attached or unauthorized KVM-like hardware, unusual peripheral patterns, and interactive activity that lacks a corresponding approved remote access software session.

Likely telemetry

  • Endpoint device and peripheral inventory records
  • USB and hardware installation events where available
  • Driver installation or device enumeration logs
  • Endpoint security alerts for unapproved hardware or peripheral use
  • Physical asset management and workstation inspection records

Detection direction

  • Validate whether DET0159-style logic exists for remote access via USB hardware such as TinyPilot or PiKVM.
  • Compare interactive user activity against approved remote access software records; gaps may indicate hardware-level access or local/physical activity requiring investigation.
  • Tune for environment-specific approved peripherals and support workflows to reduce false positives from legitimate KVM, lab, desktop support, or data center use.
  • Confirm whether device-control telemetry is collected consistently across Linux, macOS, and Windows; platform coverage may vary by control and logging configuration.
  • Include physical inspection and asset-management checks in IR playbooks when software telemetry does not explain apparent hands-on-keyboard behavior.

Mitigation priorities

  • Prioritize M1034: limit unauthorized hardware installation and peripheral use through policy and technical controls.
  • Define and maintain an approved inventory of remote access hardware and KVM devices.
  • Restrict or monitor USB ports and driver installation where operationally feasible.
  • Require approval and documentation for desktop support or administrative use of hardware-based remote access.
  • Use endpoint security and device-control capabilities to monitor or block unapproved devices, while accounting for legitimate operational exceptions.
Analyst notes and limits

This technique is newly represented in the supplied ATT&CK object as version 1.0 and is a sub-technique of T1219, Remote Access Tools. Its defensive value is in closing the gap between cyber monitoring and physical/peripheral governance. The cited external references are the official sources supplied by MITRE, but this summary does not infer attribution or customer exposure beyond the ATT&CK description and relationships.

MITRE provides no official detection text for this object. The supplied relationship identifies a relevant detection strategy, but no detailed analytics, data components, or platform-specific logging requirements were provided. Local validation is required to determine whether device-control, endpoint, network, and physical asset telemetry can actually observe this behavior.

Official MITRE ATT&CK definition

Remote Access Hardware

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.

Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1219 Remote Access Tools This object subtechnique of Remote Access Tools.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1034: Limit Hardware Installation Enterprise subtechnique of · Technique T1219: Remote Access Tools Enterprise detects · Detection Strategy DET0159: Detect Remote Access via USB Hardware (TinyPilot, PiKVM) Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1034: Limit Hardware Installation

Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:

Disable USB Ports and Hardware Installation Policies:

- Use Group Policy Objects (GPO) to disable USB mass storage devices: - Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. - Deny write and read access to USB devices. - Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.

Deploy Endpoint Protection and Device Control Solutions:

- Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware. - Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.

Harden BIOS/UEFI and System Firmware:

- Set strong passwords for BIOS/UEFI access. - Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.

Restrict Peripheral Devices and Drivers:

- Use Windows Device Manager Policies to block installation of unapproved drivers. - Monitor hardware installation attempts through endpoint monitoring tools.

Disable Bluetooth and Wireless Hardware:

- Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems. - Restrict hardware pairing to approved devices only.

Logging and Monitoring:

- Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager). - Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.

*Tools for Implementation*

USB and Device Control:

- Microsoft Group Policy Objects (GPO) - Microsoft Defender for Endpoint - Symantec Endpoint Protection - McAfee Device Control

Endpoint Monitoring:

- EDRs - OSSEC (open-source host-based IDS)

Hardware Whitelisting:

- BitLocker for external drives (Windows) - Windows Device Installation Policies - Device Control

BIOS/UEFI Security:

- Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4406f810aaf5d338...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4406f810aaf5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Palo Alto Unit 42 North Korean IT Workers 2024

    Evan Gordenker. (2024, November 13). Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them. Retrieved March 26, 2025.

    Open source URL
  2. [2]
    Google Cloud Threat Intelligence DPRK IT Workers 2024

    Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, and Alice Revelli. (2024, September 23). Staying a Step Ahead: Mitigating the DPRK IT Worker Threat. Retrieved March 26, 2025.

    Open source URL
  3. [3]
    mitre-attack T1219.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use