T1592.001 Sumo Logic CSE · Sumo

Detect Hardware in Sumo Logic CSE

Adversaries may gather information about the victim's host hardware that can be used during targeting. Hardware details may include types and versions of specific hosts, as well as the presence of additional defensive components such as smart card readers, biometric authentication hardware, TPM chips, and dedicated encryption co-processors. Adversaries gather this information via direct Active Scanning (ex: banner grabbing, SNMP enumeration), Phishing for Information, or by compromising third-party websites and deploying malicious JavaScript reconnaissance frameworks (such as ScanBox) that silently collect host hardware telemetry from visiting users. Hardware information may also be passively harvested from publicly accessible sources including job postings listing specific hardware requirements, LinkedIn profiles, assessment reports, equipment purchase invoices, and network topology diagrams. Collected hardware intelligence enables adversaries to tailor exploits for specific processor architectures, identify hardware vulnerabilities (e.g., Spectre/Meltdown variants), plan hardware supply chain attack opportunities (T1195.003), and understand the physical security posture of the target — including whether hardware-based authentication is in use.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.001 Hardware
Canonical reference
https://attack.mitre.org/techniques/T1592/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where dest_port = 161
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*") and !(src_ip matches "172.16.*")
| count by src_ip, dest_ip
| if(_count > 5, "High", if(_count > 2, "Medium", "Low")) as RiskScore
medium severity low confidence

Sumo Logic detection for Hardware (T1592.001). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface hardware patterns. Designed for the Sumo Logic Cloud SIEM platform.

Data Sources

Sumo Logic Cloud SIEMLog Sources via Sumo Logic Collector

Required Tables

network/firewallsecurity/network

False Positives & Tuning

  • Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics
  • Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs
  • Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions
  • Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges
Download portable Sigma rule (.yml)

Other platforms for T1592.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hardware Fingerprint Collection and Simulated Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'collect.php', 'hardwareConcurrency', 'deviceMemory'. Sysmon Event ID 3: Network Connection to 127.0.0.1:8888 from powershell.exe. Proxy logs (if present): POST to /collect.php with ?hwid= parameter and JSON body containing hardware parameter names. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  2. Test 2SNMP Hardware Enumeration via snmpwalk (Linux)

    Expected signal: Linux auditd EXECVE record for snmpwalk with arguments including community string and hardware OIDs. Syslog entries from snmpd if configured to log queries. Network capture (if enabled): UDP packets to port 161 with SNMP GET-NEXT PDUs targeting OID 1.3.6.1.2.1.25.3.2 (hrDeviceType). Firewall/flow logs: UDP/161 connection from initiating host to target.

  3. Test 3JavaScript Hardware Fingerprint Collection via Browser DevTools Console

    Expected signal: Sysmon Event ID 1: Process Create for msedge.exe or chrome.exe with headless flag. Sysmon Event ID 3: Network Connection attempt from browser process to 127.0.0.1:9999. Sysmon Event ID 11: File Create for df00tech-scanbox-sim.js in TEMP directory. Proxy logs (if present): GET/POST to /fp.php with ?fid= parameter from browser User-Agent.

  4. Test 4Active Hardware Banner Grabbing via Nmap Service Scripts

    Expected signal: Linux auditd EXECVE record for nmap with service detection and NSE script flags. Syslog: connection attempts to ports 22, 80, 443, 161, 8080 originating from localhost. Network flow logs: multiple short-duration TCP SYN connections from initiating host to target. Any IDS/IPS (Suricata, Snort) will generate alerts for Nmap SYN scan signature (ET SCAN Nmap). File creation: /tmp/df00tech-hw-scan.txt with scan results.

  5. Test 5Hardware Enumeration via WMI Query Simulation (Windows Endpoint)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI query commands (Get-WmiObject). Sysmon Event ID 11: File Create for df00tech-hwinventory.json in TEMP. Windows Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 with full WMI query content. WMI activity log: Microsoft-Windows-WMI-Activity/Operational with WMI queries for Win32_Processor, Win32_BIOS, Win32_BaseBoard.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1592.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.002SoftwareT1592.003FirmwareT1592.004Client Configurations

Related Techniques

T1592Gather Victim Host InformationT1592.002SoftwareT1592.003FirmwareT1592.004Client ConfigurationsT1595Active ScanningT1595.001Scanning IP BlocksT1598Phishing for InformationT1598.003Spearphishing LinkT1195.003Compromise Hardware Supply ChainT1200Hardware AdditionsT1593Search Open Websites/Domains

Same Tactic: Reconnaissance

Popular Detections