T1592.001 Splunk · SPL

Detect Hardware in Splunk

Adversaries may gather information about the victim's host hardware that can be used during targeting. Hardware details may include types and versions of specific hosts, as well as the presence of additional defensive components such as smart card readers, biometric authentication hardware, TPM chips, and dedicated encryption co-processors. Adversaries gather this information via direct Active Scanning (ex: banner grabbing, SNMP enumeration), Phishing for Information, or by compromising third-party websites and deploying malicious JavaScript reconnaissance frameworks (such as ScanBox) that silently collect host hardware telemetry from visiting users. Hardware information may also be passively harvested from publicly accessible sources including job postings listing specific hardware requirements, LinkedIn profiles, assessment reports, equipment purchase invoices, and network topology diagrams. Collected hardware intelligence enables adversaries to tailor exploits for specific processor architectures, identify hardware vulnerabilities (e.g., Spectre/Meltdown variants), plan hardware supply chain attack opportunities (T1195.003), and understand the physical security posture of the target — including whether hardware-based authentication is in use.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.001 Hardware
Canonical reference
https://attack.mitre.org/techniques/T1592/001/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
  [
    search index=proxy (sourcetype="bluecoat:proxysg:access:kv" OR sourcetype="cisco:wsa:squid" OR sourcetype="websense:cg:kv" OR sourcetype="zscaler:metadata")
        cs_method=POST
    | eval url_lower=lower(cs_uri_stem)
    | eval query_lower=lower(coalesce(cs_uri_query, ""))
    | eval bytes_sent=if(isnum(cs_bytes), cs_bytes, 0)
    | where (match(url_lower, "(\/scanbox|\/fp\.php|\/gate\.php|\/collect\.php|\/beacon\.php|\/hwinfo|\/hardware|\/stat\.php|\/fingerprint)")
             OR match(query_lower, "(hardwareconcurrency|devicememory|cpuclass|hardwareinfo|numcores|colorDepth|pixelDepth|touchPoints)"))
        AND bytes_sent > 100
        AND NOT match(lower(cs_host), "(microsoft\.com|office\.com|windows\.com|google\.com|apple\.com|mozilla\.org|amazon\.com|amazonaws\.com|akamai\.net|cloudflare\.com|fastly\.net|cdn77\.com|microsoftonline\.com)")
    | eval DetectionBranch="ScanBox-POST-Exfiltration"
    | eval RiskIndicator=case(
        match(url_lower, "(\/scanbox|\/gate\.php|\/fp\.php)"), "KnownScanBoxURL",
        match(query_lower, "(hardwareconcurrency|devicememory|cpuclass)"), "HardwareFingerprintParam",
        match(url_lower, "(\/collect\.php|\/beacon\.php)") AND bytes_sent > 500, "FingerprintExfiltration",
        1==1, "SuspiciousFingerprintURL"
    )
    | table _time, src, src_user, cs_host, cs_uri_stem, cs_uri_query, cs_method, cs_bytes, RiskIndicator, DetectionBranch
  ]
  [
    search (index=network OR index=firewall) (sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="fortinet:firewall")
        dest_port=161
    | where NOT match(src, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")
    | eval DetectionBranch="ExternalSNMP-HardwareEnum"
    | eval RiskIndicator="ExternalSNMPRequest"
    | rename src as cs_host, dest as dest_host
    | table _time, src, cs_host, dest_host, dest_port, RiskIndicator, DetectionBranch
  ]
| sort - _time
| table _time, src, src_user, cs_host, cs_uri_stem, cs_uri_query, cs_method, cs_bytes, RiskIndicator, DetectionBranch
medium severity low confidence

Detects hardware reconnaissance via two branches using a multisearch. Branch 1 searches web proxy logs (Blue Coat ProxySG, Cisco WSA, Websense, Zscaler) for POST requests matching ScanBox URL patterns or containing hardware fingerprinting parameters in the query string. Excludes known-legitimate CDN and vendor domains. Branch 2 searches firewall logs (Palo Alto, Cisco ASA, Fortinet) for SNMP requests (UDP/161) originating from external (non-RFC1918) source IPs targeting internal systems. Hardware-specific SNMP MIBs (HOST-RESOURCES-MIB, ENTITY-MIB) provide detailed hardware inventory to any querying party with network access.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowWeb Proxy LogsFirewall Logs

Required Sourcetypes

bluecoat:proxysg:access:kvcisco:wsa:squidwebsense:cg:kvzscaler:metadatapan:trafficcisco:asafortinet:firewall

False Positives & Tuning

  • Analytics platforms (Mixpanel, Amplitude, Heap) performing legitimate device metrics collection via POST requests that superficially match hardware fingerprint patterns
  • Authorized network management systems performing SNMP hardware polling from known NMS subnets — these should be excluded by adding internal scanner IPs to an allowlist
  • Web performance monitoring tools (New Relic Browser, Datadog RUM) collecting device hardware metrics for real user monitoring
  • Security rating services (BitSight, SecurityScorecard, RiskRecon) that perform external scanning which may reach SNMP-exposed assets
  • Partner or vendor organizations performing authorized technical assessments that include hardware inventory enumeration
Download portable Sigma rule (.yml)

Other platforms for T1592.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hardware Fingerprint Collection and Simulated Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'collect.php', 'hardwareConcurrency', 'deviceMemory'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8888 from powershell.exe. Proxy logs (if present): POST to /collect.php with ?hwid= parameter and JSON body containing hardware parameter names. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  2. Test 2SNMP Hardware Enumeration via snmpwalk (Linux)

    Expected signal: Linux auditd EXECVE record for snmpwalk with arguments including community string and hardware OIDs. Syslog entries from snmpd if configured to log queries. Network capture (if enabled): UDP packets to port 161 with SNMP GET-NEXT PDUs targeting OID 1.3.6.1.2.1.25.3.2 (hrDeviceType). Firewall/flow logs: UDP/161 connection from initiating host to target.

  3. Test 3JavaScript Hardware Fingerprint Collection via Browser DevTools Console

    Expected signal: Sysmon Event ID 1: Process Create for msedge.exe or chrome.exe with headless flag. Sysmon Event ID 3: Network Connection attempt from browser process to 127.0.0.1:9999. Sysmon Event ID 11: File Create for df00tech-scanbox-sim.js in TEMP directory. Proxy logs (if present): GET/POST to /fp.php with ?fid= parameter from browser User-Agent.

  4. Test 4Active Hardware Banner Grabbing via Nmap Service Scripts

    Expected signal: Linux auditd EXECVE record for nmap with service detection and NSE script flags. Syslog: connection attempts to ports 22, 80, 443, 161, 8080 originating from localhost. Network flow logs: multiple short-duration TCP SYN connections from initiating host to target. Any IDS/IPS (Suricata, Snort) will generate alerts for Nmap SYN scan signature (ET SCAN Nmap). File creation: /tmp/df00tech-hw-scan.txt with scan results.

  5. Test 5Hardware Enumeration via WMI Query Simulation (Windows Endpoint)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI query commands (Get-WmiObject). Sysmon Event ID 11: File Create for df00tech-hwinventory.json in TEMP. Windows Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with full WMI query content. WMI activity log: Microsoft-Windows-WMI-Activity/Operational with WMI queries for Win32_Processor, Win32_BIOS, Win32_BaseBoard.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1592.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.002SoftwareT1592.003FirmwareT1592.004Client Configurations

Related Techniques

T1592Gather Victim Host InformationT1592.002SoftwareT1592.003FirmwareT1592.004Client ConfigurationsT1595Active ScanningT1595.001Scanning IP BlocksT1598Phishing for InformationT1598.003Spearphishing LinkT1195.003Compromise Hardware Supply ChainT1200Hardware AdditionsT1593Search Open Websites/Domains

Same Tactic: Reconnaissance

Popular Detections