T1592.001 Hardware Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1592.001 — Gather Victim Host Information: Hardware
// Detects the minority of hardware reconnaissance activity visible within victim networks.
// PRIMARY LIMITATION: Most T1592.001 activity (Shodan scanning, OSINT, job postings, LinkedIn)
// occurs entirely outside the victim environment. This query targets the two detectable
// in-environment signals: ScanBox-style JavaScript fingerprinting exfiltration and
// SNMP/service enumeration attempts against managed hosts.
//
// Confidence is LOW due to fundamental external-nature of this PRE technique.

let ExcludedHostnames = dynamic([
    "microsoft.com", "office.com", "windows.com", "live.com", "microsoftonline.com",
    "google.com", "googleapis.com", "gstatic.com",
    "apple.com", "icloud.com",
    "mozilla.org", "firefox.com",
    "amazon.com", "amazonaws.com", "cloudfront.net",
    "akamai.net", "akamaized.net", "cloudflare.com",
    "fastly.net", "cdn77.com"
]);
// ScanBox and similar JavaScript reconnaissance framework URL patterns
let ScanBoxURLPatterns = dynamic([
    "/scanbox", "/fp.php", "/gate.php", "/collect.php", "/beacon.php",
    "/hwinfo", "/hardware", "/fingerprint", "/stat.php", "/track.php"
]);
// Hardware-identifying parameters exfiltrated by browser fingerprinting scripts
let HardwareFingerprintParams = dynamic([
    "hardwareConcurrency", "deviceMemory", "cpuClass",
    "hardwareinfo", "numCores", "screenDepth",
    "colorDepth", "pixelDepth", "touchPoints"
]);
// Branch 1: Proxy/Firewall (CommonSecurityLog) detecting ScanBox-style POST exfiltration
let Branch1 = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ("Proxy", "Web Gateway", "URL Filter", "Firewall", "WAF", "NGFW")
    or DeviceVendor has_any ("Palo Alto Networks", "Fortinet", "Zscaler", "iboss",
                              "Symantec", "McAfee", "Blue Coat", "Cisco", "F5", "Imperva")
| where RequestMethod =~ "POST"
| where BytesSent between (100 .. 50000)
| where RequestURL has_any (ScanBoxURLPatterns)
    or AdditionalExtensions has_any (HardwareFingerprintParams)
    or Message has_any (HardwareFingerprintParams)
| where not(DestinationHostName has_any (ExcludedHostnames))
| extend DetectionBranch = "ScanBox-POST"
| extend RiskIndicator = case(
    RequestURL has_any ("/scanbox", "/gate.php", "/fp.php"), "KnownScanBoxURL",
    AdditionalExtensions has_any ("hardwareConcurrency", "deviceMemory", "cpuClass"), "HardwareFingerprintParam",
    RequestURL has_any ("/collect.php", "/beacon.php") and BytesSent > 500, "FingerprintExfiltration",
    "SuspiciousFingerprintURL"
)
| project TimeGenerated, SourceUserName, SourceIP, DestinationHostName, DestinationPort,
          RequestURL, RequestMethod, BytesSent, BytesReceived,
          DeviceVendor, Activity, RiskIndicator, DetectionBranch;
// Branch 2: SNMP enumeration targeting hardware OIDs from external/unexpected sources
// SNMP OID 1.3.6.1.2.1.25.3.2 = hrDeviceType, OID 1.3.6.1.2.1.47 = ENTITY-MIB (hardware)
let Branch2 = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == 161 or DestinationPort == 162  // SNMP UDP ports
| where ipv4_is_private(SourceIP) == false  // Inbound from external
| extend DetectionBranch = "ExternalSNMPEnum"
| extend RiskIndicator = "ExternalSNMPHardwareEnum"
| project TimeGenerated, SourceUserName = "", SourceIP, 
          DestinationHostName, DestinationPort,
          RequestURL = "", RequestMethod = "SNMP", BytesSent, BytesReceived,
          DeviceVendor, Activity, RiskIndicator, DetectionBranch;
Branch1
| union Branch2
| sort by TimeGenerated desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content

Required Tables

CommonSecurityLog

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges
Content delivery networks and web performance tools (New Relic Browser, Datadog RUM, Dynatrace) that collect device/hardware metrics as part of real user monitoring

Splunk

spl

| multisearch
  [
    search index=proxy (sourcetype="bluecoat:proxysg:access:kv" OR sourcetype="cisco:wsa:squid" OR sourcetype="websense:cg:kv" OR sourcetype="zscaler:metadata")
        cs_method=POST
    | eval url_lower=lower(cs_uri_stem)
    | eval query_lower=lower(coalesce(cs_uri_query, ""))
    | eval bytes_sent=if(isnum(cs_bytes), cs_bytes, 0)
    | where (match(url_lower, "(\/scanbox|\/fp\.php|\/gate\.php|\/collect\.php|\/beacon\.php|\/hwinfo|\/hardware|\/stat\.php|\/fingerprint)")
             OR match(query_lower, "(hardwareconcurrency|devicememory|cpuclass|hardwareinfo|numcores|colorDepth|pixelDepth|touchPoints)"))
        AND bytes_sent > 100
        AND NOT match(lower(cs_host), "(microsoft\.com|office\.com|windows\.com|google\.com|apple\.com|mozilla\.org|amazon\.com|amazonaws\.com|akamai\.net|cloudflare\.com|fastly\.net|cdn77\.com|microsoftonline\.com)")
    | eval DetectionBranch="ScanBox-POST-Exfiltration"
    | eval RiskIndicator=case(
        match(url_lower, "(\/scanbox|\/gate\.php|\/fp\.php)"), "KnownScanBoxURL",
        match(query_lower, "(hardwareconcurrency|devicememory|cpuclass)"), "HardwareFingerprintParam",
        match(url_lower, "(\/collect\.php|\/beacon\.php)") AND bytes_sent > 500, "FingerprintExfiltration",
        1==1, "SuspiciousFingerprintURL"
    )
    | table _time, src, src_user, cs_host, cs_uri_stem, cs_uri_query, cs_method, cs_bytes, RiskIndicator, DetectionBranch
  ]
  [
    search (index=network OR index=firewall) (sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="fortinet:firewall")
        dest_port=161
    | where NOT match(src, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")
    | eval DetectionBranch="ExternalSNMP-HardwareEnum"
    | eval RiskIndicator="ExternalSNMPRequest"
    | rename src as cs_host, dest as dest_host
    | table _time, src, cs_host, dest_host, dest_port, RiskIndicator, DetectionBranch
  ]
| sort - _time
| table _time, src, src_user, cs_host, cs_uri_stem, cs_uri_query, cs_method, cs_bytes, RiskIndicator, DetectionBranch

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Web Proxy Logs Firewall Logs

Required Sourcetypes

bluecoat:proxysg:access:kv cisco:wsa:squid websense:cg:kv zscaler:metadata pan:traffic cisco:asa fortinet:firewall

False Positives

Analytics platforms (Mixpanel, Amplitude, Heap) performing legitimate device metrics collection via POST requests that superficially match hardware fingerprint patterns
Authorized network management systems performing SNMP hardware polling from known NMS subnets — these should be excluded by adding internal scanner IPs to an allowlist
Web performance monitoring tools (New Relic Browser, Datadog RUM) collecting device hardware metrics for real user monitoring
Security rating services (BitSight, SecurityScorecard, RiskRecon) that perform external scanning which may reach SNMP-exposed assets
Partner or vendor organizations performing authorized technical assessments that include hardware inventory enumeration

Elastic Security (EQL)

eql

// T1592.001 — Hardware Reconnaissance
network where destination.port == 161
  and not source.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
    "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
    "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")

medium severity low confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "destinationport" = 161 AND NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)) THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("destinationport" = 161 AND NOT (INCIDR('10.0.0.0/8', sourceip) OR INCIDR('192.168.0.0/16', sourceip) OR INCIDR('172.16.0.0/12', sourceip)))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where dest_port = 161
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*") and !(src_ip matches "172.16.*")
| count by src_ip, dest_ip
| if(_count > 5, "High", if(_count > 2, "Medium", "Low")) as RiskScore

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/network

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges

Google Chronicle / SecOps

yaral

rule t1592_001_hardware_recon {
  meta:
    author = "df00tech"
    description = "Detects SNMP enumeration from external sources targeting internal assets"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1592.001"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.target.port = 161
    not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1592.001 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges

Hardware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections