T1200

Hardware Additions

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network to gain access or expand capabilities. Hardware additions range from passive network taps (Throwing Star LAN Tap) to active keystroke injection devices (USB Rubber Ducky, Bash Bunny, O.MG Cable), rogue wireless access points, DMA attack devices (PCILeech), and fully autonomous compute devices (Raspberry Pi, netbooks) providing persistent network footholds. Unlike purely software-based attacks, hardware additions require physical proximity to target systems and can bypass many software security controls by presenting as trusted peripherals. The DarkVishnya threat group is documented connecting Bash Bunny, Raspberry Pi, and inexpensive netbooks directly to victim organization networks to establish persistent access and conduct internal reconnaissance. Detection relies primarily on monitoring for unexpected device class connections via Windows Plug and Play audit events, correlating new HID device connections with subsequent automated keystroke injection patterns, and identifying new network interfaces with unknown MAC addresses appearing on internal segments.

Microsoft Sentinel / Defender

kusto

// T1200 Hardware Additions — Detects suspicious USB/HID/network device connections via Security Event 6416
// Requires: Advanced Audit Policy > Detailed Tracking > Audit PNP Activity = Success
let KnownPentestVIDs = dynamic([
    "VID_2B04",  // Hak5 (Bash Bunny, Rubber Ducky, LAN Turtle, Signal Owl)
    "VID_16D0",  // MCS / Digispark ATTiny85 HID injectors
    "VID_2E8A",  // Raspberry Pi Foundation (Pi Pico USB gadget mode)
    "VID_2341",  // Arduino (commonly repurposed for HID attacks)
    "VID_1B4F",  // SparkFun Electronics (BadUSB research boards)
    "VID_221A",  // ZTEX USB FPGA (DMA research hardware)
    "VID_04D8"   // Microchip Technology (common in DIY HID injectors)
]);
let LegitimatePeripheralVIDs = dynamic([
    "VID_045E",  // Microsoft
    "VID_046D",  // Logitech
    "VID_05AC",  // Apple
    "VID_413C",  // Dell
    "VID_03F0",  // HP
    "VID_17EF",  // Lenovo
    "VID_047D",  // Kensington
    "VID_046A",  // Cherry
    "VID_1B1C",  // Corsair
    "VID_1532",  // Razer
    "VID_1038",  // SteelSeries
    "VID_04B3",  // IBM
    "VID_04CA",  // Lite-On Technology
    "VID_0461"   // Primax Electronics
]);
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 6416
| parse EventData with * 'Name="ClassName">' ClassName '</Data>' *
| parse EventData with * 'Name="DeviceId">' DeviceId '</Data>' *
| parse EventData with * 'Name="HardwareIds">' HardwareIds '</Data>' *
| parse EventData with * 'Name="ClassId">' ClassId '</Data>' *
| parse EventData with * 'Name="SubjectUserName">' SubjectUserName '</Data>' *
| parse EventData with * 'Name="SubjectDomainName">' SubjectDomain '</Data>' *
| extend IsHIDDevice = ClassName =~ "HIDClass"
| extend IsNetworkDevice = ClassName in~ ("Net", "WLAN", "Bluetooth", "Net Service")
| extend IsKnownPentestVID = HardwareIds has_any (KnownPentestVIDs)
| extend IsLegitimateVendor = HardwareIds has_any (LegitimatePeripheralVIDs)
| extend IsSuspiciousHID = IsHIDDevice and not IsLegitimateVendor and HardwareIds !has "Mouse" and HardwareIds !has "Keyboard"
| extend IsSuspiciousNetDevice = IsNetworkDevice and not IsLegitimateVendor and (DeviceId has "USB" or HardwareIds has "USB")
| extend SuspicionScore = toint(IsKnownPentestVID) * 3 + toint(IsSuspiciousHID) + toint(IsSuspiciousNetDevice)
| where SuspicionScore > 0 or IsKnownPentestVID
| extend RiskReason = case(
    IsKnownPentestVID, "Known pentest/attack hardware VID detected",
    IsSuspiciousHID, "Unknown vendor HID device — possible keystroke injector",
    IsSuspiciousNetDevice, "Unknown USB network device — possible LAN tap or rogue adapter",
    "Suspicious device class connection")
| project TimeGenerated, Computer, SubjectUserName, SubjectDomain, EventID,
         ClassName, ClassId, DeviceId, HardwareIds,
         IsHIDDevice, IsNetworkDevice, IsKnownPentestVID, SuspicionScore, RiskReason
| sort by SuspicionScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Driver: Driver Load Hardware: Hardware Windows Security Event Log Plug and Play Activity

Required Tables

SecurityEvent

False Positives

IT administrators and developers connecting legitimate USB development boards (Arduino, Raspberry Pi Pico for hobby projects) — VIDs overlap with those used for attacks
Employees connecting unrecognized third-party peripherals (generic USB keyboards, mice, USB-to-Ethernet adapters from lesser-known brands) not in the approved vendor list
Virtual machine host software creating virtual network adapters (VMware VMXNET, Hyper-V Virtual Network Adapter) that trigger device connection events
OT/SCADA technicians connecting USB-to-Serial or USB-to-RS485 adapters for legitimate industrial equipment management
Laptop docking stations presenting built-in NICs as new USB network devices when first connected to a new dock

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=6416
| rex field=EventData "Name=\"ClassName\">(?P<ClassName>[^<]+)<"
| rex field=EventData "Name=\"DeviceId\">(?P<DeviceId>[^<]+)<"
| rex field=EventData "Name=\"HardwareIds\">(?P<HardwareIds>[^<]+)<"
| rex field=EventData "Name=\"ClassId\">(?P<ClassId>[^<]+)<"
| rex field=EventData "Name=\"SubjectUserName\">(?P<SubjectUserName>[^<]+)<"
| rex field=EventData "Name=\"SubjectDomainName\">(?P<SubjectDomain>[^<]+)<"
| eval IsHIDDevice=if(lower(ClassName)="hidclass", 1, 0)
| eval IsNetworkDevice=if(match(lower(ClassName), "(^net$|wlan|bluetooth|net service)"), 1, 0)
| eval IsKnownPentestVID=if(match(HardwareIds, "(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)"), 1, 0)
| eval IsLegitimateVendor=if(match(HardwareIds, "(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A|VID_1B1C|VID_1532|VID_1038|VID_04B3|VID_04CA|VID_0461)"), 1, 0)
| eval IsSuspiciousHID=if(IsHIDDevice=1 AND IsLegitimateVendor=0, 1, 0)
| eval IsUSBNetDevice=if(IsNetworkDevice=1 AND IsLegitimateVendor=0 AND (match(DeviceId, "USB") OR match(HardwareIds, "USB")), 1, 0)
| eval SuspicionScore=(IsKnownPentestVID * 3) + IsSuspiciousHID + IsUSBNetDevice
| where SuspicionScore > 0
| eval RiskReason=case(
    IsKnownPentestVID=1, "Known pentest/attack hardware VID detected",
    IsSuspiciousHID=1, "Unknown vendor HID device — possible keystroke injector",
    IsUSBNetDevice=1, "Unknown USB network adapter — possible LAN tap",
    1=1, "Suspicious device class connection")
| table _time, host, SubjectUserName, SubjectDomain, EventCode, ClassName, ClassId, DeviceId, HardwareIds, IsHIDDevice, IsNetworkDevice, IsKnownPentestVID, SuspicionScore, RiskReason
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Driver: Driver Load Hardware: Hardware Windows Security Event Log Plug and Play Activity

Required Sourcetypes

WinEventLog:Security

False Positives

IT administrators and developers connecting legitimate USB development boards (Arduino, Raspberry Pi Pico) whose VIDs overlap with attack tooling
Employees connecting generic/unbranded USB peripherals not in the approved vendor list
VMware, Hyper-V, or VirtualBox virtual network adapters triggering USB network device events
OT/SCADA technicians connecting USB-to-Serial adapters for industrial equipment
Docking station NICs presenting as new devices on first connection to an unfamiliar dock

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  username AS SubjectUserName,
  EXTRACT("SubjectDomainName", EventData) AS SubjectDomain,
  hostname AS ComputerName,
  EXTRACT("ClassName", EventData) AS ClassName,
  EXTRACT("DeviceId", EventData) AS DeviceId,
  EXTRACT("HardwareIds", EventData) AS HardwareIds,
  CASE
    WHEN EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)'
      THEN 'Known pentest/attack hardware VID detected'
    WHEN LOWER(EXTRACT("ClassName", EventData)) = 'hidclass'
      AND NOT EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A)'
      THEN 'Unknown vendor HID device — possible keystroke injector'
    WHEN EXTRACT("ClassName", EventData) MATCHES '(?i)(^Net$|WLAN|Bluetooth)'
      AND EXTRACT("DeviceId", EventData) MATCHES '(?i)USB'
      AND NOT EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF)'
      THEN 'Unknown USB network adapter — possible LAN tap'
    ELSE 'Suspicious device class connection'
  END AS RiskReason
FROM events
WHERE
  LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */
  AND qidname(qid) = 'A new external device was recognized by the system'
  AND eventid = 6416
  AND (
    EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)'
    OR (
      LOWER(EXTRACT("ClassName", EventData)) = 'hidclass'
      AND NOT EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A|VID_1B1C|VID_1532|VID_1038|VID_04B3|VID_04CA|VID_0461)'
    )
    OR (
      EXTRACT("ClassName", EventData) MATCHES '(?i)(^Net$|WLAN|Bluetooth|Net Service)'
      AND EXTRACT("DeviceId", EventData) MATCHES '(?i)USB'
      AND NOT EXTRACT("HardwareIds", EventData) MATCHES '(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF)'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM Microsoft Windows Security Event Log (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

Niche or regional peripheral vendors not included in the legitimate VID allowlist triggering false HID alerts
IT helpdesk technicians connecting USB diagnostic tools or specialty input devices during troubleshooting sessions
USB tethering from employee mobile phones creating USB network interfaces classified as suspicious adapters

Sumo Logic CSE

sql

_sourceCategory=windows/security (EventCode=6416 OR EventID=6416)
| parse regex field=EventData "Name=\"ClassName\">(?P<ClassName>[^<]+)<"
| parse regex field=EventData "Name=\"DeviceId\">(?P<DeviceId>[^<]+)<"
| parse regex field=EventData "Name=\"HardwareIds\">(?P<HardwareIds>[^<]+)<"
| parse regex field=EventData "Name=\"ClassId\">(?P<ClassId>[^<]+)<"
| parse regex field=EventData "Name=\"SubjectUserName\">(?P<SubjectUserName>[^<]+)<"
| parse regex field=EventData "Name=\"SubjectDomainName\">(?P<SubjectDomain>[^<]+)<"
| eval IsKnownPentestVID = if(matches(HardwareIds, "(?i)(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)"), 1, 0)
| eval IsLegitimateVendor = if(matches(HardwareIds, "(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A|VID_1B1C|VID_1532|VID_1038|VID_04B3|VID_04CA|VID_0461)"), 1, 0)
| eval IsHIDDevice = if(toLowerCase(ClassName) = "hidclass", 1, 0)
| eval IsNetworkDevice = if(matches(toLowerCase(ClassName), "(^net$|wlan|bluetooth|net service)"), 1, 0)
| eval IsSuspiciousHID = if(IsHIDDevice = 1 AND IsLegitimateVendor = 0, 1, 0)
| eval IsUSBNetDevice = if(IsNetworkDevice = 1 AND IsLegitimateVendor = 0 AND (matches(DeviceId, "(?i)USB") OR matches(HardwareIds, "(?i)USB")), 1, 0)
| eval SuspicionScore = (IsKnownPentestVID * 3) + IsSuspiciousHID + IsUSBNetDevice
| where SuspicionScore > 0
| eval RiskReason = if(IsKnownPentestVID = 1, "Known pentest/attack hardware VID detected",
    if(IsSuspiciousHID = 1, "Unknown vendor HID device — possible keystroke injector",
    if(IsUSBNetDevice = 1, "Unknown USB network adapter — possible LAN tap",
    "Suspicious device class connection")))
| fields _messagetime, _sourceHost, SubjectUserName, SubjectDomain, ClassName, ClassId, DeviceId, HardwareIds, IsHIDDevice, IsNetworkDevice, IsKnownPentestVID, SuspicionScore, RiskReason
| sort by SuspicionScore desc, _messagetime desc

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Windows Event Log source with Security channel

Required Tables

windows/security (or equivalent _sourceCategory mapping)

False Positives

Custom-built or OEM peripherals from small vendors whose VIDs are not in the legitimate vendor allowlist
USB docking stations with integrated NIC presenting as unknown USB network devices on hot-plug
Security researchers or red teamers using attack hardware in an authorized penetration testing engagement on the monitored network

Google Chronicle / SecOps

yaral

rule t1200_hardware_additions_suspicious_usb_device {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1200 Hardware Additions — suspicious USB HID or network device connections via Windows PnP Event 6416. Flags known pentest hardware VIDs (Hak5, Digispark, Raspberry Pi Pico, Arduino), unknown HID devices, and unknown USB network adapters."
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1200"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "STATUS_UPDATE"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.metadata.product_event_type = "6416"
    $e.principal.hostname = $hostname

    (
      /* Known pentest hardware VIDs */
      re.regex($e.target.resource.name, `(?i)(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)`) or

      /* Unknown HID device — not from known legitimate vendor */
      (
        re.regex($e.target.resource.type, `(?i)hidclass`) and
        not re.regex($e.target.resource.name, `(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A|VID_1B1C|VID_1532|VID_1038|VID_04B3|VID_04CA|VID_0461)`)
      ) or

      /* Unknown USB network device — possible LAN tap or rogue adapter */
      (
        re.regex($e.target.resource.type, `(?i)(^net$|wlan|bluetooth|net service)`) and
        re.regex($e.target.resource.attribute.labels["DeviceId"], `(?i)USB`) and
        not re.regex($e.target.resource.name, `(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle Windows Event Log Ingestion Bindplane or Chronicle Forwarder with Windows Security log

Required Tables

UDM events with metadata.product_event_type = 6416

False Positives

Specialty input devices (barcode scanners, POS terminals, medical peripherals) using HID class with obscure VIDs not in the allowlist
USB Ethernet adapters bundled with laptops or docking stations from vendors not on the known-good VID list
Embedded systems developers connecting microcontroller dev boards (ESP32, Teensy) for legitimate firmware development work

CrowdStrike LogScale (CQL)

cql

// T1200 Hardware Additions — Suspicious USB/HID/Network Device via PnP Event 6416
// Requires: Windows Security Event log forwarding to Falcon LogScale
#event_simpleName="/" OR #event_simpleName=*
| EventCode = "6416"
| ChannelName = "Security"

// Parse hardware metadata from EventData XML
| regex(field="EventData", regex="Name=\\\"ClassName\\\">(?P<ClassName>[^<]+)<")
| regex(field="EventData", regex="Name=\\\"DeviceId\\\">(?P<DeviceId>[^<]+)<")
| regex(field="EventData", regex="Name=\\\"HardwareIds\\\">(?P<HardwareIds>[^<]+)<")
| regex(field="EventData", regex="Name=\\\"SubjectUserName\\\">(?P<SubjectUserName>[^<]+)<")
| regex(field="EventData", regex="Name=\\\"SubjectDomainName\\\">(?P<SubjectDomain>[^<]+)<")

// Score known pentest VIDs
| IsKnownPentestVID := if(match(field="HardwareIds", regex="(?i)(VID_2B04|VID_16D0|VID_2E8A|VID_2341|VID_1B4F|VID_221A|VID_04D8)"), then=1, else=0)

// Identify legitimate vendors
| IsLegitimateVendor := if(match(field="HardwareIds", regex="(?i)(VID_045E|VID_046D|VID_05AC|VID_413C|VID_03F0|VID_17EF|VID_047D|VID_046A|VID_1B1C|VID_1532|VID_1038|VID_04B3|VID_04CA|VID_0461)"), then=1, else=0)

// Classify device type
| IsHIDDevice := if(match(field="ClassName", regex="(?i)hidclass"), then=1, else=0)
| IsNetworkDevice := if(match(field="ClassName", regex="(?i)(^net$|wlan|bluetooth|net service)"), then=1, else=0)

// Flag suspicious device types
| IsSuspiciousHID := if(IsHIDDevice = 1 AND IsLegitimateVendor = 0, then=1, else=0)
| IsUSBNetDevice := if(
    IsNetworkDevice = 1 AND IsLegitimateVendor = 0
    AND (match(field="DeviceId", regex="(?i)USB") OR match(field="HardwareIds", regex="(?i)USB")),
    then=1, else=0)

// Compute suspicion score
| SuspicionScore := (IsKnownPentestVID * 3) + IsSuspiciousHID + IsUSBNetDevice

// Filter to actionable alerts only
| SuspicionScore > 0

// Assign risk reason
| RiskReason := case {
    IsKnownPentestVID = 1 => "Known pentest/attack hardware VID detected" ;
    IsSuspiciousHID = 1   => "Unknown vendor HID device — possible keystroke injector" ;
    IsUSBNetDevice = 1    => "Unknown USB network adapter — possible LAN tap" ;
    *                     => "Suspicious device class connection"
  }

| table(["@timestamp", ComputerName, SubjectUserName, SubjectDomain, EventCode, ClassName, DeviceId, HardwareIds, IsHIDDevice, IsNetworkDevice, IsKnownPentestVID, SuspicionScore, RiskReason])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

Falcon LogScale Windows Security Event Log collection CrowdStrike Falcon sensor with Windows event log forwarding enabled

Required Tables

Windows Security channel events (EventCode 6416)

False Positives

USB-to-serial or USB-to-UART adapters used by developers and IT for console access to network equipment appearing as unknown HID or network class devices
Specialty gaming peripherals (stream decks, macro keypads, foot pedals) from boutique vendors presenting as HID devices with unknown VIDs
VMs or containers using USB passthrough where the hypervisor presents virtual USB devices with non-standard vendor IDs to the guest OS

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1200 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Hardware Additions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections