Detect Hardware Additions in Elastic Security
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network to gain access or expand capabilities. Hardware additions range from passive network taps (Throwing Star LAN Tap) to active keystroke injection devices (USB Rubber Ducky, Bash Bunny, O.MG Cable), rogue wireless access points, DMA attack devices (PCILeech), and fully autonomous compute devices (Raspberry Pi, netbooks) providing persistent network footholds. Unlike purely software-based attacks, hardware additions require physical proximity to target systems and can bypass many software security controls by presenting as trusted peripherals. The DarkVishnya threat group is documented connecting Bash Bunny, Raspberry Pi, and inexpensive netbooks directly to victim organization networks to establish persistent access and conduct internal reconnaissance. Detection relies primarily on monitoring for unexpected device class connections via Windows Plug and Play audit events, correlating new HID device connections with subsequent automated keystroke injection patterns, and identifying new network interfaces with unknown MAC addresses appearing on internal segments.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1200 Hardware Additions
- Canonical reference
- https://attack.mitre.org/techniques/T1200/
Elastic Detection Query
sequence by host.name with maxspan=5m
[any where event.code == "6416" and
(
winlog.event_data.HardwareIds like~ "*VID_2B04*" or
winlog.event_data.HardwareIds like~ "*VID_16D0*" or
winlog.event_data.HardwareIds like~ "*VID_2E8A*" or
winlog.event_data.HardwareIds like~ "*VID_2341*" or
winlog.event_data.HardwareIds like~ "*VID_1B4F*" or
winlog.event_data.HardwareIds like~ "*VID_221A*" or
winlog.event_data.HardwareIds like~ "*VID_04D8*" or
(
winlog.event_data.ClassName like~ "HIDClass" and
not (
winlog.event_data.HardwareIds like~ "*VID_045E*" or
winlog.event_data.HardwareIds like~ "*VID_046D*" or
winlog.event_data.HardwareIds like~ "*VID_05AC*" or
winlog.event_data.HardwareIds like~ "*VID_413C*" or
winlog.event_data.HardwareIds like~ "*VID_03F0*" or
winlog.event_data.HardwareIds like~ "*VID_17EF*"
)
) or
(
winlog.event_data.ClassName like~ "Net*" and
winlog.event_data.DeviceId like~ "*USB*" and
not (
winlog.event_data.HardwareIds like~ "*VID_045E*" or
winlog.event_data.HardwareIds like~ "*VID_046D*" or
winlog.event_data.HardwareIds like~ "*VID_05AC*"
)
)
)
]Detects suspicious USB/HID/network hardware additions via Windows Security Event 6416 (PnP Activity). Flags known pentest hardware VIDs (Hak5, Digispark, Pi Pico, Arduino), unknown-vendor HID devices that may be keystroke injectors, and unknown USB network adapters that may be LAN taps. Requires Windows Advanced Audit Policy: Detailed Tracking > Audit PNP Activity = Success.
Data Sources
Required Tables
False Positives & Tuning
- IT asset deployment of legitimate peripherals from lesser-known vendors not in the known-good VID list
- Developer boards (Arduino, Raspberry Pi Pico) used legitimately by engineers for lab or development work
- USB-to-Ethernet adapters from generic OEMs used for docking stations or conference room equipment
Other platforms for T1200
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Microsoft Loopback Network Adapter via devcon
Expected signal: Windows Security Event ID 6416: ClassName=Net, ClassId={4d36e972-e325-11ce-bfc1-08002be10318}, DeviceId=ROOT\NET\0001 or similar, HardwareIds=*MSLOOP. Windows System Event IDs 20001 and 20003 in System log for driver installation. Entry in C:\Windows\INF\setupapi.dev.log with timestamp and INF path.
- Test 2Enumerate Connected HID Devices via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-PnpDevice' and 'HIDClass'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the full device enumeration script.
- Test 3Query USB Device Connection History via Registry
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'. Sysmon Event ID 1 also for findstr.exe. Security Event ID 4688 (if enabled) for both processes. Registry access events may be logged depending on SACL configuration.
- Test 4Simulate Keystroke Injection via PowerShell SendKeys
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe initiated by the calling process, plus any processes spawned by the injected keystrokes. If Sysmon monitors for the parent process chain, keystrokes injected into an Explorer window will show explorer.exe as parent. PowerShell ScriptBlock Log Event ID 4104 for both the outer and any inner PowerShell sessions.
References (9)
- https://attack.mitre.org/techniques/T1200/
- https://securelist.com/darkvishnya/89169/
- https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
- https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/devcon-command-syntax
- https://github.com/hak5/bashbunny-payloads
- https://docs.microsoft.com/en-us/windows/win32/devio/device-management-events
Unlock Pro Content
Get the full detection package for T1200 including response playbook, investigation guide, and atomic red team tests.