T1219.003 Remote Access Hardware Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KVMDeviceNames = dynamic([
  "TinyPilot", "PiKVM", "Raritan", "Avocent", "ATEN", "iDRAC",
  "iLO", "IPMI", "Lantronix", "Opengear", "KVM", "Digi",
  "CyberPower", "ServerTech", "Supermicro IPMI"
]);
let KVMPorts = dynamic([5900, 5901, 443, 80, 8080, 623, 5000, 8443, 8888]);
let KVMUserAgents = dynamic([
  "TinyPilot", "PiKVM", "noVNC", "websockify"
]);
// Detection 1: Network connections to KVM-typical ports from new USB devices
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (KVMPorts)
| where LocalIP startswith "192.168." or LocalIP startswith "10." or LocalIP startswith "172."
| where RemoteUrl has_any (KVMDeviceNames) or RemoteUrl has_any ("pikvm", "tinypilot", "kvm", "ipmi", "idrac", "ilo")
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort, RemoteUrl,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Data center administrators using iDRAC, iLO, or IPMI for legitimate out-of-band server management during maintenance windows
IT operations teams using rack-mounted KVM switches (Raritan, Avocent, ATEN) for routine server console access in server rooms
Network engineers accessing remote Opengear or Lantronix serial console servers for switch/router management
Security teams using KVM-over-IP for incident response when OS-level access is unavailable on compromised systems

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationPort=5900 OR DestinationPort=5901 OR DestinationPort=623 OR DestinationPort=5000 OR DestinationPort=8443 OR DestinationPort=8888)
  (DestinationIp="192.168.*" OR DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.2*" OR DestinationIp="172.3*")
| eval IsVNCPort=if(DestinationPort==5900 OR DestinationPort==5901, "Yes", "No")
| eval IsIPMIPort=if(DestinationPort==623, "Yes", "No")
| eval IsWebKVM=if(DestinationPort==8443 OR DestinationPort==8888 OR DestinationPort==5000, "Yes", "No")
| eval ConnectionType=case(
    IsVNCPort=="Yes", "VNC/KVM",
    IsIPMIPort=="Yes", "IPMI",
    IsWebKVM=="Yes", "Web-based KVM",
    1=1, "Other")
| stats count as Connections, dc(DestinationIp) as UniqueKVMDevices, values(DestinationPort) as Ports, earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, User, Image, ConnectionType
| where Connections > 1
| sort - Connections

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Data center administrators using iDRAC/iLO/IPMI for legitimate out-of-band server management
IT operations using rack KVM switches for routine server console access
Network engineers accessing serial console servers for network device management
Monitoring tools polling IPMI/iLO interfaces for hardware health checks

Elastic Security (EQL)

eql

network where event.type == "start" and
  destination.port in (5900, 5901, 623, 5000, 8443, 8888, 8080) and
  cidr(destination.ip, "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") and
  (
    destination.domain like~ "*pikvm*" or
    destination.domain like~ "*tinypilot*" or
    destination.domain like~ "*kvm*" or
    destination.domain like~ "*ipmi*" or
    destination.domain like~ "*idrac*" or
    destination.domain like~ "*ilo*" or
    destination.domain like~ "*raritan*" or
    destination.domain like~ "*avocent*" or
    destination.port == 623
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Packetbeat network capture Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.network-* logs-system.security-* winlogbeat-*

False Positives

IT administrators legitimately accessing iDRAC, iLO, or IPMI interfaces for server hardware maintenance and firmware updates
Authorized VNC remote desktop sessions established by helpdesk or endpoint management tooling (e.g., Bomgar, Dameware)
Automated monitoring systems (Zabbix, Nagios, PRTG) polling IPMI port 623 for hardware sensor telemetry on internal server ranges

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS DetectionTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestinationPort,
  username AS InitiatingUser,
  devicecustomstring1 AS ProcessName,
  CASE
    WHEN destinationport IN (5900, 5901) THEN 'VNC/KVM Protocol'
    WHEN destinationport = 623 THEN 'IPMI/BMC Protocol'
    WHEN destinationport IN (5000, 8443, 8888) THEN 'Web-Based KVM'
    WHEN destinationport = 8080 THEN 'Alt-HTTP KVM'
    ELSE 'KVM-Adjacent Port'
  END AS ConnectionType,
  COUNT(*) AS Connections
FROM events
WHERE starttime > NOW() - 86400000
  AND destinationport IN (5900, 5901, 623, 5000, 8443, 8888, 8080)
  AND (
    INCIDR('192.168.0.0/16', destinationip)
    OR INCIDR('10.0.0.0/8', destinationip)
    OR INCIDR('172.16.0.0/12', destinationip)
  )
  AND LOGSOURCETYPEID IN (12, 13)
GROUP BY
  DetectionTime, LogSource, SourceIP, DestinationIP,
  DestinationPort, InitiatingUser, ProcessName, ConnectionType
HAVING COUNT(*) > 1
ORDER BY Connections DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via WinCollect agent Microsoft Windows Security Event Log

Required Tables

events

False Positives

Infrastructure teams with standing access to IPMI/iDRAC/iLO management interfaces generating repeated polling connections during maintenance windows
Automated datacenter orchestration tools (Ansible, Puppet) connecting to BMC interfaces over port 623 for hardware inventory or configuration
Legitimate VNC-based remote support sessions from IT service desk tooling to internally managed endpoints

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventID = 3 OR EventCode = 3
| parse regex field=_raw "<Data Name='DestinationPort'>(?<dest_port>\d+)</Data>"
| parse regex field=_raw "<Data Name='DestinationIp'>(?<dest_ip>[^<]+)</Data>"
| parse regex field=_raw "<Data Name='Image'>(?<process_image>[^<]+)</Data>"
| parse regex field=_raw "<Data Name='User'>(?<sysmon_user>[^<]+)</Data>"
| where dest_port in ("5900", "5901", "623", "5000", "8443", "8888", "8080")
| where dest_ip matches "192.168.*"
  OR dest_ip matches "10.*"
  OR dest_ip matches "172.16.*"
  OR dest_ip matches "172.17.*"
  OR dest_ip matches "172.18.*"
  OR dest_ip matches "172.19.*"
  OR dest_ip matches "172.2*"
  OR dest_ip matches "172.3*"
| eval connection_type = if(dest_port in ("5900", "5901"), "VNC/KVM",
    if(dest_port = "623", "IPMI",
    if(dest_port in ("8443", "8888", "5000"), "Web-based KVM", "Other")))
| stats
    count as Connections,
    values(dest_ip) as KVMDevices,
    values(dest_port) as Ports,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
  by _sourceHost, sysmon_user, process_image, connection_type
| where Connections > 1
| sort - Connections

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Installed Collector (Windows) Windows Sysmon EventID 3 via Sumo Logic Source

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows*

False Positives

Authorized server management access to IPMI, iDRAC, or iLO interfaces by datacenter or infrastructure teams during scheduled maintenance
Security operations personnel using VNC to connect to internal endpoints during incident investigation or forensic triage
Datacenter automation frameworks (Ansible AWX, vCenter) polling BMC/IPMI endpoints on port 623 for hardware health status

Google Chronicle / SecOps

yaral

rule t1219_003_remote_access_hardware_kvm {
  meta:
    author = "Detection Engineering"
    description = "Detects outbound network connections to KVM/IPMI hardware device ports indicative of T1219.003 Remote Access Hardware activity"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1219/003/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (5900, 5901, 623, 5000, 8443, 8888, 8080)
    (
      net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16") or
      net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or
      net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
    )
    (
      re.regex($e.target.hostname, `(?i)(pikvm|tinypilot|kvm|ipmi|idrac|ilo|raritan|avocent|aten|lantronix|opengear)`) or
      re.regex($e.target.url, `(?i)(pikvm|tinypilot|kvm|ipmi|idrac|ilo|raritan|avocent)`) or
      $e.target.port = 623
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM network event ingestion CrowdStrike Falcon or Carbon Black EDR via Chronicle forwarder

Required Tables

NETWORK_CONNECTION UDM event stream

False Positives

Infrastructure engineers with authorized access to iDRAC, iLO, or IPMI management ports for routine server administration tasks
Legitimate VNC remote desktop sessions between internal workstations initiated by IT support or endpoint management platforms
Lab or test environments running KVM infrastructure for development, QA, or security research with internal hostnames matching KVM patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| RemotePort in (5900, 5901, 623, 5000, 8443, 8888, 8080)
| regex(field=LocalAddressIP4, regex="^(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)") 
| ConnectionType := case {
    RemotePort in (5900, 5901) => "VNC/KVM";
    RemotePort = 623           => "IPMI/BMC";
    RemotePort in (5000, 8443, 8888) => "Web-based KVM";
    RemotePort = 8080          => "Alt-HTTP KVM";
    *                          => "KVM-Adjacent"
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, RemoteAddressIP4, ConnectionType],
    function=[
      count(as=Connections),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen),
      collect(RemotePort, as=PortsUsed)
    ]
  )
| Connections > 1
| sort(Connections, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon Insight XDR CrowdStrike LogScale (Humio)

Required Tables

#event_simpleName=NetworkConnectIP4

False Positives

System administrators using Falcon-monitored endpoints to connect to legitimate server KVM interfaces (iDRAC, iLO, IPMI) in the datacenter network
Helpdesk tooling (e.g., VNC Viewer, TigerVNC) initiating authorized remote desktop connections to internal workstations for end-user support
Network monitoring agents running on endpoints that poll IPMI port 623 on server ranges for hardware health data collection

Remote Access Hardware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections