1. Home
  2. Techniques
  3. Enterprise
  4. 硬件附加

硬件附加

硬件附加指攻击者通过物理接入恶意硬件设备实施系统渗透的技术,涉及从外围接口植入到板级组件替换等多种形式。传统防御主要依赖端口禁用、设备白名单和物理审计等手段,通过监控USB/PCIe接口活动、分析硬件指纹特征来识别异常设备。但随着硬件攻击技术的演进,单纯依赖接口监控的防护体系已显现明显短板。

ID: T1200
Sub-techniques:  No sub-techniques
Tactic: 初始入侵
Platforms: Linux, Windows, macOS
Version: 1.6
Created: 18 April 2018
Last Modified: 30 March 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确复现合法设备的物理特征(如接口规格、电气参数)和逻辑特征(如设备描述符、协议栈),使恶意硬件在枚举检测、驱动加载等环节呈现合规属性。例如仿冒标准HID设备时完全遵循USB协议规范,使得系统无法通过常规手段识别设备异常。

行为透明

利用零日固件漏洞或未公开的硬件交互协议实施攻击,例如通过逆向工程获取特定芯片组的DMA时序特征,开发可绕过内存保护机制的隐蔽攻击手法。此类技术依赖对硬件底层特性的深度掌握,使攻击过程不产生可观测的异常行为特征。

数据遮蔽

在无线协议寄生接入等场景中,攻击者采用动态加密和跳频通信技术,将数据传输过程隐藏在合法无线协议的背景噪声中。通过物理层信号调制与协议层加密相结合,实现通信内容的双重隐蔽。

时空释痕

短暂型硬件组件驻留技术通过纳米级设备尺寸和毫秒级攻击窗口,将硬件存在时间压缩至传统检测手段的响应阈值之下。同时利用设备自毁机制消除物理证据,使得攻击痕迹在时空维度被极大稀释,阻断事后取证链条。

Procedure Examples

ID Name Description
G0105 DarkVishnya

DarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.[1]

Mitigations

ID Mitigation Description
M1035 Limit Access to Resource Over Network

Establish network access control policies, such as using device certificates and the 802.1x standard. [2] Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
M1034 Limit Hardware Installation

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.
DS0016 Drive Drive Creation

Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.
DS0029 Network Traffic Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

References

  1. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  1. Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.