T1200 Microsoft Sentinel · KQL

Detect Hardware Additions in Microsoft Sentinel

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network to gain access or expand capabilities. Hardware additions range from passive network taps (Throwing Star LAN Tap) to active keystroke injection devices (USB Rubber Ducky, Bash Bunny, O.MG Cable), rogue wireless access points, DMA attack devices (PCILeech), and fully autonomous compute devices (Raspberry Pi, netbooks) providing persistent network footholds. Unlike purely software-based attacks, hardware additions require physical proximity to target systems and can bypass many software security controls by presenting as trusted peripherals. The DarkVishnya threat group is documented connecting Bash Bunny, Raspberry Pi, and inexpensive netbooks directly to victim organization networks to establish persistent access and conduct internal reconnaissance. Detection relies primarily on monitoring for unexpected device class connections via Windows Plug and Play audit events, correlating new HID device connections with subsequent automated keystroke injection patterns, and identifying new network interfaces with unknown MAC addresses appearing on internal segments.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1200 Hardware Additions
Canonical reference
https://attack.mitre.org/techniques/T1200/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1200 Hardware Additions — Detects suspicious USB/HID/network device connections via Security Event 6416
// Requires: Advanced Audit Policy > Detailed Tracking > Audit PNP Activity = Success
let KnownPentestVIDs = dynamic([
    "VID_2B04",  // Hak5 (Bash Bunny, Rubber Ducky, LAN Turtle, Signal Owl)
    "VID_16D0",  // MCS / Digispark ATTiny85 HID injectors
    "VID_2E8A",  // Raspberry Pi Foundation (Pi Pico USB gadget mode)
    "VID_2341",  // Arduino (commonly repurposed for HID attacks)
    "VID_1B4F",  // SparkFun Electronics (BadUSB research boards)
    "VID_221A",  // ZTEX USB FPGA (DMA research hardware)
    "VID_04D8"   // Microchip Technology (common in DIY HID injectors)
]);
let LegitimatePeripheralVIDs = dynamic([
    "VID_045E",  // Microsoft
    "VID_046D",  // Logitech
    "VID_05AC",  // Apple
    "VID_413C",  // Dell
    "VID_03F0",  // HP
    "VID_17EF",  // Lenovo
    "VID_047D",  // Kensington
    "VID_046A",  // Cherry
    "VID_1B1C",  // Corsair
    "VID_1532",  // Razer
    "VID_1038",  // SteelSeries
    "VID_04B3",  // IBM
    "VID_04CA",  // Lite-On Technology
    "VID_0461"   // Primax Electronics
]);
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 6416
| parse EventData with * 'Name="ClassName">' ClassName '</Data>' *
| parse EventData with * 'Name="DeviceId">' DeviceId '</Data>' *
| parse EventData with * 'Name="HardwareIds">' HardwareIds '</Data>' *
| parse EventData with * 'Name="ClassId">' ClassId '</Data>' *
| parse EventData with * 'Name="SubjectUserName">' SubjectUserName '</Data>' *
| parse EventData with * 'Name="SubjectDomainName">' SubjectDomain '</Data>' *
| extend IsHIDDevice = ClassName =~ "HIDClass"
| extend IsNetworkDevice = ClassName in~ ("Net", "WLAN", "Bluetooth", "Net Service")
| extend IsKnownPentestVID = HardwareIds has_any (KnownPentestVIDs)
| extend IsLegitimateVendor = HardwareIds has_any (LegitimatePeripheralVIDs)
| extend IsSuspiciousHID = IsHIDDevice and not IsLegitimateVendor and HardwareIds !has "Mouse" and HardwareIds !has "Keyboard"
| extend IsSuspiciousNetDevice = IsNetworkDevice and not IsLegitimateVendor and (DeviceId has "USB" or HardwareIds has "USB")
| extend SuspicionScore = toint(IsKnownPentestVID) * 3 + toint(IsSuspiciousHID) + toint(IsSuspiciousNetDevice)
| where SuspicionScore > 0 or IsKnownPentestVID
| extend RiskReason = case(
    IsKnownPentestVID, "Known pentest/attack hardware VID detected",
    IsSuspiciousHID, "Unknown vendor HID device — possible keystroke injector",
    IsSuspiciousNetDevice, "Unknown USB network device — possible LAN tap or rogue adapter",
    "Suspicious device class connection")
| project TimeGenerated, Computer, SubjectUserName, SubjectDomain, EventID,
         ClassName, ClassId, DeviceId, HardwareIds,
         IsHIDDevice, IsNetworkDevice, IsKnownPentestVID, SuspicionScore, RiskReason
| sort by SuspicionScore desc, TimeGenerated desc
high severity medium confidence

Detects suspicious hardware additions using Windows Security Event ID 6416 (A new external device was recognized by the System), which fires when Plug and Play device audit is enabled. Filters for HID devices from unknown or known-pentest vendors, USB-connected network adapters not from recognized peripheral manufacturers, and specific Vendor IDs (VIDs) associated with penetration testing and attack hardware (Hak5 products, Digispark, Raspberry Pi Pico in gadget mode, Arduino). Assigns a suspicion score to prioritize alerts: known pentest VIDs score 3, unknown-vendor HID devices and USB network adapters score 1 each. Requires Advanced Audit Policy — Detailed Tracking — Audit PNP Activity enabled on target systems.

Data Sources

Driver: Driver LoadHardware: HardwareWindows Security Event LogPlug and Play Activity

Required Tables

SecurityEvent

False Positives & Tuning

  • IT administrators and developers connecting legitimate USB development boards (Arduino, Raspberry Pi Pico for hobby projects) — VIDs overlap with those used for attacks
  • Employees connecting unrecognized third-party peripherals (generic USB keyboards, mice, USB-to-Ethernet adapters from lesser-known brands) not in the approved vendor list
  • Virtual machine host software creating virtual network adapters (VMware VMXNET, Hyper-V Virtual Network Adapter) that trigger device connection events
  • OT/SCADA technicians connecting USB-to-Serial or USB-to-RS485 adapters for legitimate industrial equipment management
  • Laptop docking stations presenting built-in NICs as new USB network devices when first connected to a new dock
Download portable Sigma rule (.yml)

Other platforms for T1200

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Microsoft Loopback Network Adapter via devcon

    Expected signal: Windows Security Event ID 6416: ClassName=Net, ClassId={4d36e972-e325-11ce-bfc1-08002be10318}, DeviceId=ROOT\NET\0001 or similar, HardwareIds=*MSLOOP. Windows System Event IDs 20001 and 20003 in System log for driver installation. Entry in C:\Windows\INF\setupapi.dev.log with timestamp and INF path.

  2. Test 2Enumerate Connected HID Devices via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Get-PnpDevice' and 'HIDClass'. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with the full device enumeration script.

  3. Test 3Query USB Device Connection History via Registry

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine containing 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'. Sysmon Event ID 1 also for findstr.exe. Security Event ID 4688 (if enabled) for both processes. Registry access events may be logged depending on SACL configuration.

  4. Test 4Simulate Keystroke Injection via PowerShell SendKeys

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe initiated by the calling process, plus any processes spawned by the injected keystrokes. If Sysmon monitors for the parent process chain, keystrokes injected into an Explorer window will show explorer.exe as parent. PowerShell ScriptBlock Log Event ID 4104 for both the outer and any inner PowerShell sessions.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1200 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1091Replication Through Removable MediaT1557Adversary-in-the-MiddleT1056.001KeyloggingT1040Network SniffingT1078Valid AccountsT1059.001PowerShellT1059.003Windows Command ShellT1133External Remote ServicesT1205Traffic SignalingT1601Modify System Image

Same Tactic: Initial Access

Popular Detections