Hardware-Based Remote Access (IP-KVM)

A subject deploys a hardware-based remote access device, typically an IP-KVM (Keyboard, Video, Mouse over IP) system, to remotely interact with a workstation or server through its physical interfaces.

These devices connect directly to the system’s video output (HDMI or DisplayPort) and USB ports, capturing the display signal while injecting keyboard and mouse input remotely. The device presents itself to the operating system as standard USB Human Interface Devices (HID), such as a generic keyboard and mouse, allowing the subject to interact with the system as though physically present at the console.

Because the interaction occurs through physical interface emulation rather than installed software, activity generated through the device appears as local console input to the operating system. This can bypass controls designed to detect or restrict software-based remote access tools such as Remote Desktop Protocol (RDP) or third-party remote administration platforms.

Many IP-KVM devices provide independent network connectivity, including Ethernet, Wi-Fi, or cellular access, allowing the subject to maintain remote interaction with the system through an external management interface. When used in this manner, the remote session may not traverse corporate remote access infrastructure or generate conventional remote access/network logs.

While these devices have legitimate uses in system administration, hardware labs, and data center environments, a subject may deploy them covertly to maintain persistent remote access to a system without installing software or triggering typical remote access monitoring or network controls.

Within the Insider Threat Matrix, this behavior represents preparatory activity, as it establishes a covert remote control capability that may later enable unauthorized access, data exfiltration, or system manipulation.