T1219.003 Google Chronicle · YARA-L

Detect Remote Access Hardware in Google Chronicle

An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).

MITRE ATT&CK

Tactic
Command and Control
Technique
T1219 Remote Access Tools
Sub-technique
T1219.003 Remote Access Hardware
Canonical reference
https://attack.mitre.org/techniques/T1219/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1219_003_remote_access_hardware_kvm {
  meta:
    author = "Detection Engineering"
    description = "Detects outbound network connections to KVM/IPMI hardware device ports indicative of T1219.003 Remote Access Hardware activity"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1219/003/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (5900, 5901, 623, 5000, 8443, 8888, 8080)
    (
      net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16") or
      net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8") or
      net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
    )
    (
      re.regex($e.target.hostname, `(?i)(pikvm|tinypilot|kvm|ipmi|idrac|ilo|raritan|avocent|aten|lantronix|opengear)`) or
      re.regex($e.target.url, `(?i)(pikvm|tinypilot|kvm|ipmi|idrac|ilo|raritan|avocent)`) or
      $e.target.port = 623
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule using the Unified Data Model (UDM) to detect outbound connections to hardware KVM device ports from internal RFC1918 addresses. Combines port-based matching (VNC 5900/5901, IPMI 623, web KVM 5000/8443/8888) with KVM device hostname regex patterns. IPMI port 623 is matched unconditionally due to its exclusive use by BMC hardware. Requires NETWORK_CONNECTION UDM events from an EDR or network telemetry ingestion pipeline.

Data Sources

Google Chronicle SIEMChronicle UDM network event ingestionCrowdStrike Falcon or Carbon Black EDR via Chronicle forwarder

Required Tables

NETWORK_CONNECTION UDM event stream

False Positives & Tuning

  • Infrastructure engineers with authorized access to iDRAC, iLO, or IPMI management ports for routine server administration tasks
  • Legitimate VNC remote desktop sessions between internal workstations initiated by IT support or endpoint management platforms
  • Lab or test environments running KVM infrastructure for development, QA, or security research with internal hostnames matching KVM patterns
Download portable Sigma rule (.yml)

Other platforms for T1219.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1IPMI Interface Discovery via ipmitool

    Expected signal: Sysmon Event ID 1: PowerShell process creation with Test-NetConnection command. Sysmon Event ID 3: Network connection attempt to 192.168.1.1:623. The connection will likely fail (no IPMI target) but the network connection event still fires showing the port 623 probe.

  2. Test 2VNC Port Scan Simulation for KVM Discovery

    Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 3: Network connection attempts to 192.168.1.1-5 on port 5900. Multiple connection events to different IPs on VNC port indicates scanning behavior.

  3. Test 3USB HID Device Enumeration Check

    Expected signal: Sysmon Event ID 1: PowerShell process creation with Get-PnpDevice command line. PowerShell ScriptBlock Log Event ID 4104 with the WMI/PnP query content. No network events expected — this is a local enumeration test.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1219.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1219Remote Access Tools

Related Sub-techniques

T1219.001IDE TunnelingT1219.002Remote Desktop Software

Related Techniques

T1219Remote Access ToolsT1219.002Remote Desktop SoftwareT1200Hardware AdditionsT1021.001Remote Desktop ProtocolT1557Adversary-in-the-MiddleT1056.001KeyloggingT1074.001Local Data StagingT1020Automated Exfiltration

Same Tactic: Command and Control

Popular Detections