T1195.003 Microsoft Sentinel · KQL

Detect Compromise Hardware Supply Chain in Microsoft Sentinel

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices such as servers, workstations, network infrastructure, or peripherals. Real-world examples include UEFI firmware implants (LoJax, CosmicStrand, BlackLotus), compromised network interface card firmware (Equation Group capabilities), and server baseboard management controller (BMC) implants. Detection is inherently constrained because the compromise predates the device's arrival, often manifesting as unexpected kernel-mode drivers, firmware modification activity, anomalous out-of-band management traffic, or covert network channels established through compromised NIC or BMC firmware. Defenders should focus on firmware integrity monitoring, hardware inventory baselining, driver signing verification, and anomalous network activity from system-level processes.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1195 Supply Chain Compromise
Sub-technique
T1195.003 Compromise Hardware Supply Chain
Canonical reference
https://attack.mitre.org/techniques/T1195/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1195.003 — Hardware Supply Chain Compromise
// Detects OS-observable artifacts: unsigned drivers from suspicious paths,
// firmware flash utility execution, unexpected PCI device registration, and
// anomalous System process network activity (NIC firmware beaconing)
let LookbackWindow = ago(24h);
let FirmwareFlashTools = dynamic([
    "afuwin.exe", "afuwin64.exe", "afudos.exe", "fpt.exe", "fptw64.exe",
    "h2offt.exe", "h2offt-wx64.exe", "h2offt-wx86.exe", "flashrom.exe",
    "winphlash.exe", "phlash16.exe", "amifldrv64.sys", "meinfo.exe",
    "meinfowin.exe", "meinfowin64.exe", "fwupdmgr.exe", "chipsec_main.exe"
]);
let SuspiciousDriverPaths = dynamic([
    "\\Temp\\", "\\AppData\\", "\\ProgramData\\",
    "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
let KnownGoodSigners = dynamic([
    "Microsoft Windows", "Microsoft Corporation", "Intel Corporation",
    "Intel(R) Corporation", "Advanced Micro Devices", "NVIDIA Corporation",
    "Realtek Semiconductor", "Broadcom Corporation", "Qualcomm Atheros",
    "Marvell Semiconductor", "Dell Inc", "HP Inc", "Hewlett Packard",
    "Lenovo", "ASUSTek Computer"
]);
union isfuzzy=true
(
    // Branch 1: Kernel drivers loaded from non-standard paths (implant payload delivery)
    DeviceImageLoadEvents
    | where Timestamp > LookbackWindow
    | where FolderPath has_any (SuspiciousDriverPaths)
    | where SignatureState !in~ ("SignedValid")
    | extend DetectionBranch = "Unsigned Driver From Non-Standard Path"
    | extend RiskDetail = strcat("Driver: ", FileName, " | Signer: ", iif(isempty(Signer), "UNSIGNED", Signer), " | State: ", SignatureState, " | Path: ", FolderPath)
    | project Timestamp, DeviceName, AccountName, DetectionBranch, FileName, FolderPath, Signer, SignatureState, SHA256, RiskDetail
),
(
    // Branch 2: Firmware flash utilities executing outside vendor update processes
    DeviceProcessEvents
    | where Timestamp > LookbackWindow
    | where FileName has_any (FirmwareFlashTools)
        or ProcessCommandLine has_any (FirmwareFlashTools)
    | where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "install.exe", "Update.exe", "DellUpdate.exe", "HPFirmwareUpdRec.exe")
    | extend DetectionBranch = "Firmware Flash Utility Execution"
    | extend RiskDetail = strcat("Tool: ", FileName, " | CmdLine: ", ProcessCommandLine, " | Parent: ", InitiatingProcessFileName)
    | project Timestamp, DeviceName, AccountName, DetectionBranch, FileName, FolderPath, Signer = "", SignatureState = "", SHA256, RiskDetail
),
(
    // Branch 3: New PCI device registry keys created by unexpected processes
    DeviceRegistryEvents
    | where Timestamp > LookbackWindow
    | where ActionType == "RegistryKeyCreated"
    | where RegistryKey matches regex @"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_[A-F0-9]{4}&DEV_[A-F0-9]{4}"
    | where InitiatingProcessFileName !in~ ("services.exe", "drvinst.exe", "setuphost.exe", "DrvInst.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
    | extend DetectionBranch = "Unexpected PCI Device Registration"
    | extend RiskDetail = strcat("New PCI key: ", RegistryKey, " | Process: ", InitiatingProcessFileName, " | PID: ", tostring(InitiatingProcessId))
    | project Timestamp, DeviceName, AccountName = "", DetectionBranch, FileName = InitiatingProcessFileName, FolderPath = RegistryKey, Signer = "", SignatureState = "", SHA256 = "", RiskDetail
),
(
    // Branch 4: Kernel driver service installation (Event ID 7045) with kernel type
    SecurityEvent
    | where TimeGenerated > LookbackWindow
    | where EventID == 7045
    | extend ServiceName = tostring(EventData.ServiceName)
    | extend ServiceType = tostring(EventData.ServiceType)
    | extend ImagePath = tostring(EventData.ImagePath)
    | where ServiceType has_any ("kernel mode driver", "file system driver")
    | where ImagePath has_any (SuspiciousDriverPaths)
    | extend DetectionBranch = "Kernel Driver Service Installed From Suspicious Path"
    | extend RiskDetail = strcat("Service: ", ServiceName, " | Type: ", ServiceType, " | Path: ", ImagePath)
    | project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, DetectionBranch, FileName = ServiceName, FolderPath = ImagePath, Signer = "", SignatureState = "", SHA256 = "", RiskDetail
)
| sort by Timestamp desc
critical severity low confidence

Multi-branch detection for hardware supply chain compromise artifacts observable from within the OS. Branch 1 catches unsigned kernel drivers loaded from temporary or user-writable paths — a common delivery mechanism for firmware implant payloads. Branch 2 detects execution of BIOS/UEFI/firmware flash utilities outside of known vendor update processes, which could indicate an adversary reflashing hardware post-compromise. Branch 3 identifies unexpected PCI device registrations from non-installer processes, which may indicate a rogue hardware device appearing post-deployment. Branch 4 uses Security Event ID 7045 to catch kernel-mode driver service installation from suspicious paths. Confidence is low because the underlying hardware compromise is invisible from within the OS — these queries detect derivative effects only.

Data Sources

Driver: Driver LoadProcess: Process CreationWindows Registry: Windows Registry Key CreationWindows Registry: Windows Registry Key ModificationFirmware: Firmware ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceImageLoadEventsDeviceProcessEventsDeviceRegistryEventsSecurityEvent

False Positives & Tuning

  • Hardware vendor management software (Dell SupportAssist, HP Support Assistant, Lenovo Vantage) legitimately executes firmware flash utilities and installs drivers during scheduled updates — filter by known vendor parent processes and scheduled maintenance windows
  • Windows Update and Windows Driver Framework (drvinst.exe, setuphost.exe, TrustedInstaller.exe) legitimately create PCI registry keys and install drivers during OS updates — these processes are explicitly excluded but verify parent process chains
  • IT administrators running firmware audit tools (chipsec, flashrom in read-only mode, MEInfo) for inventory or security assessments — coordinate with asset management teams to identify authorized audit activity
  • New hardware installations (RAM, PCIe NIC, GPU, storage controllers) added by IT staff post-deployment legitimately trigger PCI device registration events — correlate with IT change tickets
  • Pre-production hardware validation labs where firmware is legitimately flashed as part of manufacturing QA processes — these environments may need separate detection policies
  • Third-party hardware management agents (Dell OMSA, HPE iLO Amplifier, Lenovo XClarity) may load drivers from non-standard installation paths during their own setup procedures
Download portable Sigma rule (.yml)

Other platforms for T1195.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Firmware Inventory Tool Execution (Read-Only Audit)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_BIOS' and 'Win32_BaseBoard'. Security Event ID 4688 (if command line auditing enabled). Note: WMI queries also generate Event ID 4688 for wmiprvse.exe child processes.

  2. Test 2Simulate Firmware Flash Tool Execution From Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\Temp\AFUWINx64.EXE. Security Event ID 4688 with NewProcessName=C:\Windows\Temp\AFUWINx64.EXE. The OriginalFileName in PE headers will show cmd.exe (indicating the binary was renamed), which is an additional forensic signal.

  3. Test 3Inject Rogue PCI Device Registry Key

    Expected signal: Sysmon Event ID 12 (Registry Key Create): TargetObject=HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_DEAD&DEV_BEEF&SUBSYS_00000000&REV_00, Image=powershell.exe. Sysmon Event ID 13 (Registry Value Set): TargetObject containing DeviceDesc. DeviceRegistryEvents in MDE will record ActionType=RegistryKeyCreated with InitiatingProcessFileName=powershell.exe.

  4. Test 4Install Kernel Driver Service From Temp Path

    Expected signal: Windows System Event ID 7045 (New Service Installed): ServiceName=HWImplantTestDrv, ServiceType=kernel mode driver, StartType=demand start, ImagePath=C:\Windows\Temp\hw_implant_test.sys. Security Event ID 4697 (A service was installed in the system). The ImagePath pointing to \Windows\Temp\ is the primary anomaly indicator.

  5. Test 5Simulate BMC/IPMI Network Reconnaissance From Management Interface

    Expected signal: Sysmon Event ID 1: Process Create with Image=curl.exe, User=SYSTEM (or NT AUTHORITY\SYSTEM). Sysmon Event ID 3: Network Connection attempted from curl.exe running as SYSTEM to 127.0.0.1:9876. DeviceNetworkEvents in MDE: InitiatingProcessAccountName=SYSTEM, RemotePort=9876.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1195.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.001Compromise Software Dependencies and Development ToolsT1195.002Compromise Software Supply Chain

Related Techniques

T1195Supply Chain CompromiseT1195.001Compromise Software Dependencies and Development ToolsT1195.002Compromise Software Supply ChainT1542.001System FirmwareT1542.003BootkitT1014RootkitT1078.003Local AccountsT1040Network SniffingT1056.001KeyloggingT1602Data from Configuration RepositoryT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections