MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Peripheral Management
Manage peripheral devices used on systems within the network for active defense purposes.
Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts.
Details
ID:
DTE0029
Opportunities
| ID | Description |
|---|---|
| DOS0023 | There is an opportunity to gauge an adversary's interest in connected peripheral devices. |
| DOS0024 | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. |
Use Cases
| ID | Description |
|---|---|
| DUC0023 | A defender can connect one or more peripheral devices to a decoy system to see if an adversary has any interest in them. |
| DUC0024 | A defender can plug in a USB drive and see how quickly the adversary notices and inspects it. |
| DUC0205 | A defender could use decoy peripherals, such as external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes. |
| DUC0211 | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
Procedures
| ID | Description |
|---|---|
| DPR0050 | Introduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device. |
| DPR0051 | Configure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1092 | Communication Through Removable Media | Command and Control |
| T1120 | Peripheral Device Discovery | Discovery |