ITM is an open framework - Submit your contributions now.

Detections

ConsoleHost_history.txt Created Timestamp Discrepancy

ConsoleHost_history.txt File Missing

Windows File Deleted, Event Logs

Windows System Logging was Cleared

Print Spooler Service

Installed Printers via Registry

Printed Documents via Event Logs

Tamper Seal

Cyber Deception, File Canary

Cyber Deception, Honeypot

Cyber Deception, Honey User

Windows Operating System Installed Date

NTFS Timestamp Discrepancy

Utilize Cold Storage for Logs

Windows Local Account Deleted

Windows System Shutdown, Event Logs

Firefox Browser History

Edge Browser History

Chrome Browser History

Shellbags, USB Removable Storage

USBSTOR Registry Key

USB Registry Key

MountedDevices Registry Key

Windows Event Log, DriverFrameworks-UserMode

Windows Setupapi.dev.log

Windows LNK Files

Windows Prefetch

File Metadata

File EXIF Data

auditd Timestamp Modification Rule

Windows Thumbcache

Closed-Circuit Television

Terminal Service Client Registry Key

RDP Bitmap Cache

Windows Jump Lists

auditd File Access

Windows Recycle Bin

Web Proxy Logs

Microsoft Exchange Message Trace

Email Gateway

Network Intrusion Detection Systems

Sysmon Process Create Event

Linux dpkg Log

Agent Capable of User Activity Monitoring

Agent Capable of Endpoint Detection and Response

Agent Capable of User Behaviour Analytics

Data Loss Prevention Solution

Social Media Monitoring

Impossible Travel

DNS Logging

Audit Logging

Missing .bash_history File

.bash_history Timestamp Discrepency

PowerShell Logging

User Account Deleted, Windows Event Log

Chrome Browser Cookies

Chrome Browser Login Data

Chrome Browser Bookmarks

Chrome Browser Extensions

Notepad.exe TabState

Microsoft 365 Admin Center Sign-in Activity

Microsoft Entra ID Sign-in Logs

AWS CloudTrail, Resource Deletion

GCP Cloud Audit Logs, Resource Deletion

Azure Activity Log, Resource Deletion

Financial Auditing

Windows Event Log, Logon and Logoff

Security Software Anti-Tampering Alerts

Windows Event Log, Local Firewall Changes

Map Network Drive MRU

TypedPaths

Network Registry Key

Shellbags, Network Drives

USB MountPoints2

Bash History

AzureAD PowerShell Log

Clipboard Payloads via ActivitiesCache.db

MFT Entry Number Sequence Irregularities

MFT Unusual Timestamp Patterns

MFT and Shimcache Executable Timestamp Comparison

Microsoft Unified Audit Log

Windows Event Log, Software Uninstallation

DNS Monitoring

Deep Packet Inspection

NetFlow Analysis

Windows Event Log, Audit Removable Storage

Virtual Private Network (VPN) Logs

User Behavior Analytics (UBA)

User and Entity Behavior Analytics (UEBA)

Photographic Identification Comparison

Leaver Watchlist

vssadmin Shadow Copy Deletion

Microsoft Entra ID Privileged Identity Management Resource Audit

Microsoft Teams Admin Center Meeting and Call History

macOS File System Events (FSEvents) Store Database

Windows Event Log, System Time Modification

MIP Label Activity Monitoring

Cyber Deception, Honey SPN

Asset Discovery Audit

Tracking Patterns of Policy Violations

Baseline System Performance Profiling

AWS Unauthorized System or Service Modification

GCP Unauthorized System or Service Modification

Azure Unauthorized System or Service Modification

OCI Unauthorized System or Service Modification

SystemPropertiesRemote.exe Execution

Modification of RDP Registry Keys

RDP Group Membership Changes

DNS and HTTPS Traffic to Web-Based Remote Access Platforms

Access to /mnt/c/ from Within WSL

Installation of New WSL Distributions

Threat Intelligence Feeds for Insider Threat Indicators

Registry Value Audit, Start_TrackProgs

Absence of Expected Entries in RunMRU and UserAssist

Microsoft Purview eDiscovery

Snipping Tool Cached Screenshots

Snipping Tool TempState\Snips

Snipping Tool Cached Recordings

Snipping Tool TempState\Recordings

Snipping Tool Autosave Setting Modification

Python History File

OneDrive SafeDelete.db

Discrepancies Between Physical Access Logs and System Authentication

Modification of etc/hosts File

Microsoft Defender, Printed File

Microsoft Defender, Creation of Forwarding/Redirect Rule

Microsoft Defender, Granted Mailbox Permission

Microsoft Defender, Shared File Externally

Automated Visual and Thermal Baseline Scanning of Server Environments

Asset Register Correlation

Microsoft Exchange, Auto Forwarded Message Report

File Integrity Monitoring

Endpoint Network Access Agent Telemetry Monitoring

Installed Software via Registry

Unauthorized USB HID Device Connections

Discovery of IP-KVM Management Interfaces on Internal Networks

ID: DT150
Created: 10th March 2026
Updated: 10th March 2026
Contributor: The ITM Team

Discovery of IP-KVM Management Interfaces on Internal Networks

Identify devices within the internal network exposing web-based management interfaces associated with IP-KVM platforms or similar hardware remote access systems.

Most IP-KVM devices provide a built-in web interface used to view the captured video stream and send keyboard or mouse input to the connected system. These interfaces typically run on embedded Linux systems and expose HTTP or HTTPS services that allow remote management of the device.

If an IP-KVM device is connected to a corporate network, its management interface may become discoverable through internal network scanning or passive network monitoring. The presence of such a device on workstation or user network segments may indicate unauthorized hardware capable of providing covert remote control of connected systems.

Detection Methods

Conduct periodic internal network scans to identify devices exposing HTTP or HTTPS services on workstation or user network segments.
Review scan results for embedded devices or unknown systems presenting web interfaces associated with remote console or KVM functionality.
Inspect HTTP banners, page titles, or service fingerprints that indicate remote console, KVM, or embedded management platforms.
Analyze DHCP lease records and network asset inventories to identify devices appearing on the network that are not recognized as approved corporate assets.
Monitor for previously unseen devices connected to workstation network segments that expose web services but generate minimal normal user traffic.
Investigate devices that maintain persistent external connectivity while exposing local management interfaces, as this may indicate remote administration channels.

Investigative Notes

IP-KVM devices are commonly implemented as small embedded systems that run lightweight Linux environments with built-in web servers. These systems may appear in network scans as unidentified appliances with limited network activity outside of remote management sessions.

Because such devices can be deployed covertly between a workstation and its peripherals, they may not appear in asset inventories or endpoint management systems.

Investigators discovering unknown embedded devices within workstation network segments should verify whether the device is an authorized management platform or an unauthorized hardware remote access system capable of controlling a connected endpoint.

Sections