T1195.003 IBM QRadar · QRadar

Detect Compromise Hardware Supply Chain in IBM QRadar

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices such as servers, workstations, network infrastructure, or peripherals. Real-world examples include UEFI firmware implants (LoJax, CosmicStrand, BlackLotus), compromised network interface card firmware (Equation Group capabilities), and server baseboard management controller (BMC) implants. Detection is inherently constrained because the compromise predates the device's arrival, often manifesting as unexpected kernel-mode drivers, firmware modification activity, anomalous out-of-band management traffic, or covert network channels established through compromised NIC or BMC firmware. Defenders should focus on firmware integrity monitoring, hardware inventory baselining, driver signing verification, and anomalous network activity from system-level processes.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1195 Supply Chain Compromise
Sub-technique
T1195.003 Compromise Hardware Supply Chain
Canonical reference
https://attack.mitre.org/techniques/T1195/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "EventID",
  "ImageLoaded",
  "Image",
  "CommandLine",
  "Signed",
  "ServiceName",
  "ServiceType",
  "ImagePath",
  CASE
    WHEN "EventID" = '1'
      AND (LOWER("CommandLine") LIKE '%afuwin%' OR LOWER("CommandLine") LIKE '%afudos%'
        OR LOWER("CommandLine") LIKE '%fpt.exe%' OR LOWER("CommandLine") LIKE '%fptw64%'
        OR LOWER("CommandLine") LIKE '%h2offt%' OR LOWER("CommandLine") LIKE '%winphlash%'
        OR LOWER("CommandLine") LIKE '%phlash16%' OR LOWER("CommandLine") LIKE '%amifldrv64%'
        OR LOWER("CommandLine") LIKE '%meinfo%' OR LOWER("CommandLine") LIKE '%flashrom%'
        OR LOWER("CommandLine") LIKE '%fwupdmgr%' OR LOWER("CommandLine") LIKE '%chipsec_main%')
    THEN 'Firmware Flash Utility Execution'
    WHEN "EventID" = '6'
      AND "Signed" = 'false'
      AND (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
        OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%'
        OR LOWER("ImageLoaded") LIKE '%\\windows\\temp\\%')
    THEN 'Unsigned Driver From Suspicious Path'
    WHEN "EventID" = '6'
      AND (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
        OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%')
    THEN 'Driver From Non-Standard Path'
    WHEN "EventID" = '7045'
      AND (LOWER("ServiceType") LIKE '%kernel mode driver%' OR LOWER("ServiceType") LIKE '%file system driver%')
      AND (LOWER("ImagePath") LIKE '%\\temp\\%' OR LOWER("ImagePath") LIKE '%\\appdata\\%'
        OR LOWER("ImagePath") LIKE '%\\programdata\\%' OR LOWER("ImagePath") LIKE '%\\windows\\temp\\%')
    THEN 'Kernel Driver Service From Suspicious Path'
    ELSE 'Unknown'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    (
      "EventID" = '1' AND
      (LOWER("CommandLine") LIKE '%afuwin%' OR LOWER("CommandLine") LIKE '%afudos%'
       OR LOWER("CommandLine") LIKE '%fpt.exe%' OR LOWER("CommandLine") LIKE '%fptw64%'
       OR LOWER("CommandLine") LIKE '%h2offt%' OR LOWER("CommandLine") LIKE '%winphlash%'
       OR LOWER("CommandLine") LIKE '%phlash16%' OR LOWER("CommandLine") LIKE '%amifldrv64%'
       OR LOWER("CommandLine") LIKE '%meinfo%' OR LOWER("CommandLine") LIKE '%flashrom%'
       OR LOWER("CommandLine") LIKE '%fwupdmgr%' OR LOWER("CommandLine") LIKE '%chipsec_main%')
    )
    OR (
      "EventID" = '6' AND
      (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
       OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%'
       OR LOWER("ImageLoaded") LIKE '%\\windows\\temp\\%')
    )
    OR (
      "EventID" = '7045' AND
      (LOWER("ServiceType") LIKE '%kernel mode driver%' OR LOWER("ServiceType") LIKE '%file system driver%') AND
      (LOWER("ImagePath") LIKE '%\\temp\\%' OR LOWER("ImagePath") LIKE '%\\appdata\\%'
       OR LOWER("ImagePath") LIKE '%\\programdata\\%' OR LOWER("ImagePath") LIKE '%\\windows\\temp\\%')
    )
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting T1195.003 hardware supply chain compromise across Windows Security and Sysmon log sources. Applies CASE-based detection category assignment across firmware flash tool execution (EventID 1), suspicious-path driver loads with unsigned status (EventID 6), and kernel driver service installation from writable paths (EventID 7045). Results ordered by recency for analyst triage.

Data Sources

Microsoft Windows Security Event LogMicrosoft Windows Sysmon

Required Tables

events

False Positives & Tuning

  • Enterprise patch management systems (Ivanti, BigFix, Tanium) distributing OEM firmware update packages that invoke flash utilities from managed staging directories in ProgramData
  • OS deployment workflows (MDT, WDS) that extract and install signed drivers from temporary working directories created during automated imaging sequences
  • Vendor hardware diagnostic and validation tooling (Dell SupportAssist, HP PC Hardware Diagnostics) invoking firmware inspection utilities during scheduled health checks
Download portable Sigma rule (.yml)

Other platforms for T1195.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Firmware Inventory Tool Execution (Read-Only Audit)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_BIOS' and 'Win32_BaseBoard'. Security Event ID 4688 (if command line auditing enabled). Note: WMI queries also generate Event ID 4688 for wmiprvse.exe child processes.

  2. Test 2Simulate Firmware Flash Tool Execution From Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\Temp\AFUWINx64.EXE. Security Event ID 4688 with NewProcessName=C:\Windows\Temp\AFUWINx64.EXE. The OriginalFileName in PE headers will show cmd.exe (indicating the binary was renamed), which is an additional forensic signal.

  3. Test 3Inject Rogue PCI Device Registry Key

    Expected signal: Sysmon Event ID 12 (Registry Key Create): TargetObject=HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_DEAD&DEV_BEEF&SUBSYS_00000000&REV_00, Image=powershell.exe. Sysmon Event ID 13 (Registry Value Set): TargetObject containing DeviceDesc. DeviceRegistryEvents in MDE will record ActionType=RegistryKeyCreated with InitiatingProcessFileName=powershell.exe.

  4. Test 4Install Kernel Driver Service From Temp Path

    Expected signal: Windows System Event ID 7045 (New Service Installed): ServiceName=HWImplantTestDrv, ServiceType=kernel mode driver, StartType=demand start, ImagePath=C:\Windows\Temp\hw_implant_test.sys. Security Event ID 4697 (A service was installed in the system). The ImagePath pointing to \Windows\Temp\ is the primary anomaly indicator.

  5. Test 5Simulate BMC/IPMI Network Reconnaissance From Management Interface

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, User=SYSTEM (or NT AUTHORITY\SYSTEM). Sysmon Event ID 3: Network Connection attempted from curl.exe running as SYSTEM to 127.0.0.1:9876. DeviceNetworkEvents in MDE: InitiatingProcessAccountName=SYSTEM, RemotePort=9876.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1195.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.001Compromise Software Dependencies and Development ToolsT1195.002Compromise Software Supply Chain

Related Techniques

T1195Supply Chain CompromiseT1195.001Compromise Software Dependencies and Development ToolsT1195.002Compromise Software Supply ChainT1542.001System FirmwareT1542.003BootkitT1014RootkitT1078.003Local AccountsT1040Network SniffingT1056.001KeyloggingT1602Data from Configuration RepositoryT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections