MITRE ATT&CK Technique
Initial Access T1200
Description

Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access points to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)

Supported Platforms
Windows Linux macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2018-04-18T17:59:24.739Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may physically introduce computer accessories, '
                'networking hardware, or other computing devices into a system '
                'or network that can be used as a vector to gain access. '
                'Rather than just connecting and distributing payloads via '
                'removable storage (i.e. [Replication Through Removable '
                'Media](https://attack.mitre.org/techniques/T1091)), more '
                'robust hardware additions can be used to introduce new '
                'functionalities and/or features into a system that can then '
                'be abused.\n'
                '\n'
                'While public references of usage by threat actors are scarce, '
                'many red teams/penetration testers leverage hardware '
                'additions for initial access. Commercial and open source '
                'products can be leveraged with capabilities such as passive '
                'network tapping, network traffic modification (i.e. '
                '[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), '
                'keystroke injection, kernel memory reading via DMA, addition '
                'of new wireless access points to an existing network, and '
                'others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks '
                'Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: '
                'McMillan Pwn March 2012)',
 'external_references': [{'external_id': 'T1200',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1200'},
                         {'description': 'Michael Ossmann. (2011, February '
                                         '17). Throwing Star LAN Tap. '
                                         'Retrieved March 30, 2018.',
                          'source_name': 'Ossmann Star Feb 2011',
                          'url': 'https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html'},
                         {'description': 'Nick Aleks. (2015, November 7). '
                                         'Weapons of a Pentester - '
                                         'Understanding the virtual & physical '
                                         'tools used by white/black hat '
                                         'hackers. Retrieved March 30, 2018.',
                          'source_name': 'Aleks Weapons Nov 2015',
                          'url': 'https://www.youtube.com/watch?v=lDvf4ScWbcQ'},
                         {'description': 'Robert McMillan. (2012, March 3). '
                                         'The Pwn Plug is a little white box '
                                         'that can hack your network. '
                                         'Retrieved March 30, 2018.',
                          'source_name': 'McMillan Pwn March 2012',
                          'url': 'https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/'},
                         {'description': 'Ulf Frisk. (2016, August 5). Direct '
                                         'Memory Attack the Kernel. Retrieved '
                                         'March 30, 2018.',
                          'source_name': 'Frisk DMA August 2016',
                          'url': 'https://www.youtube.com/watch?v=fXthwl6ShOg'}],
 'id': 'attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'initial-access'}],
 'modified': '2025-10-24T17:49:26.803Z',
 'name': 'Hardware Additions',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],
 'x_mitre_version': '1.7'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (1)
DarkVishnya
High
Back to TTPs
Dashboard About