title: Hardware Additions (T1200)
id: df00tech-t1200
status: experimental
description: "Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network to gain access or expand capabilities. Hardware additions range from passive network taps (Throwing Star LAN Tap) to active keystroke injection devices (USB Rubber Ducky, Bash Bunny, O.MG Cable), rogue wireless access points, DMA attack devices (PCILeech), and fully autonomous compute devices (Raspberry Pi, netbooks) providing persistent network footholds. Unlike purely software-based attacks, hardware additions require physical proximity to target systems and can bypass many software security controls by presenting as trusted peripherals. The DarkVishnya threat group is documented connecting Bash Bunny, Raspberry Pi, and inexpensive netbooks directly to victim organization networks to establish persistent access and conduct internal reconnaissance. Detection relies primarily on monitoring for unexpected device class connections via Windows Plug and Play audit events, correlating new HID device connections with subsequent automated keystroke injection patterns, and identifying new network interfaces with unknown MAC addresses appearing on internal segments."
references:
  - https://attack.mitre.org/techniques/T1200/
  - https://df00tech.com/detections/T1200
author: df00tech
date: 2026/04/19
tags:
  - attack.t1200
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators and developers connecting legitimate USB development boards (Arduino, Raspberry Pi Pico for hobby projects) — VIDs overlap with those used for attacks"
  - "Employees connecting unrecognized third-party peripherals (generic USB keyboards, mice, USB-to-Ethernet adapters from lesser-known brands) not in the approved vendor list"
  - "Virtual machine host software creating virtual network adapters (VMware VMXNET, Hyper-V Virtual Network Adapter) that trigger device connection events"
  - OT/SCADA technicians connecting USB-to-Serial or USB-to-RS485 adapters for legitimate industrial equipment management
  - Laptop docking stations presenting built-in NICs as new USB network devices when first connected to a new dock
level: high