Detect Remote Access Hardware in Elastic Security
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.003 Remote Access Hardware
- Canonical reference
- https://attack.mitre.org/techniques/T1219/003/
Elastic Detection Query
network where event.type == "start" and
destination.port in (5900, 5901, 623, 5000, 8443, 8888, 8080) and
cidr(destination.ip, "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") and
(
destination.domain like~ "*pikvm*" or
destination.domain like~ "*tinypilot*" or
destination.domain like~ "*kvm*" or
destination.domain like~ "*ipmi*" or
destination.domain like~ "*idrac*" or
destination.domain like~ "*ilo*" or
destination.domain like~ "*raritan*" or
destination.domain like~ "*avocent*" or
destination.port == 623
)Detects outbound network connections to KVM hardware device ports (VNC 5900/5901, IPMI 623, web-based KVM 5000/8443/8888) targeting internal RFC1918 addresses with KVM-indicative hostnames, using Elastic ECS network event schema. Port 623 (IPMI) is flagged unconditionally due to its exclusive use by baseboard management controllers.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators legitimately accessing iDRAC, iLO, or IPMI interfaces for server hardware maintenance and firmware updates
- Authorized VNC remote desktop sessions established by helpdesk or endpoint management tooling (e.g., Bomgar, Dameware)
- Automated monitoring systems (Zabbix, Nagios, PRTG) polling IPMI port 623 for hardware sensor telemetry on internal server ranges
Other platforms for T1219.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1IPMI Interface Discovery via ipmitool
Expected signal: Sysmon Event ID 1: PowerShell process creation with Test-NetConnection command. Sysmon Event ID 3: Network connection attempt to 192.168.1.1:623. The connection will likely fail (no IPMI target) but the network connection event still fires showing the port 623 probe.
- Test 2VNC Port Scan Simulation for KVM Discovery
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 3: Network connection attempts to 192.168.1.1-5 on port 5900. Multiple connection events to different IPs on VNC port indicates scanning behavior.
- Test 3USB HID Device Enumeration Check
Expected signal: Sysmon Event ID 1: PowerShell process creation with Get-PnpDevice command line. PowerShell ScriptBlock Log Event ID 4104 with the WMI/PnP query content. No network events expected — this is a local enumeration test.
References (8)
- https://attack.mitre.org/techniques/T1219/003/
- https://unit42.paloaltonetworks.com/north-korean-it-workers/
- https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
- https://pikvm.org/
- https://tinypilotkvm.com/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://www.dell.com/support/kbdoc/en-us/000178115/idrac-9-security-configuration-guide
Unlock Pro Content
Get the full detection package for T1219.003 including response playbook, investigation guide, and atomic red team tests.