title: Remote Access Hardware (T1219.003)
id: df00tech-t1219-003
status: experimental
description: "An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s)."
references:
  - https://attack.mitre.org/techniques/T1219/003/
  - https://df00tech.com/detections/T1219.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1219.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Data center administrators using iDRAC, iLO, or IPMI for legitimate out-of-band server management during maintenance windows"
  - "IT operations teams using rack-mounted KVM switches (Raritan, Avocent, ATEN) for routine server console access in server rooms"
  - Network engineers accessing remote Opengear or Lantronix serial console servers for switch/router management
  - Security teams using KVM-over-IP for incident response when OS-level access is unavailable on compromised systems
level: high