T1592.003 Firmware Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Branch 1: WMIC direct firmware class queries
let WmicFirmware = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any ("bios", "baseboard", "Win32_BIOS", "Win32_BaseBoard", "Win32_SystemEnclosure", "Win32_MotherboardDevice")
| extend EnumerationMethod = "WMIC_Direct";
// Branch 2: PowerShell WMI firmware class enumeration
let PsFirmware = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where (ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi") and
         ProcessCommandLine has_any ("Win32_BIOS", "Win32_BaseBoard", "Win32_SystemEnclosure", "Win32_MotherboardDevice"))
    or ProcessCommandLine has_any ("Confirm-SecureBootUEFI", "Get-SecureBootPolicy", "Get-SecureBootUEFI")
| extend EnumerationMethod = "PowerShell_WMI";
// Branch 3: Dedicated firmware inspection or flashing tools
let FirmwareTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("flashrom.exe", "fwupdmgr", "dmidecode", "biosdecode", "AfuDos.exe", "AfuWin64.exe", "AfuWinx64.exe", "AmiFlash.exe", "FPT.exe", "fptw64.exe")
    or (FileName =~ "bcdedit.exe" and ProcessCommandLine has "firmware")
| extend EnumerationMethod = "FirmwareTool";
union WmicFirmware, PsFirmware, FirmwareTools
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         EnumerationMethod
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks
Security baseline and compliance tools (CIS-CAT, Microsoft Security Compliance Toolkit) verifying Secure Boot enablement, UEFI settings, and firmware versions against hardening benchmarks

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval WmicFirmware=if(
    match(Image, "wmic\.exe$") AND match(CommandLine, "(bios|baseboard|win32_bios|win32_baseboard|win32_systemenclosure|motherboarddevice)"),
    1, 0)
| eval PsFirmware=if(
    match(Image, "(powershell|pwsh)\.exe$") AND
    match(CommandLine, "(get-wmiobject|get-ciminstance|gwmi)") AND
    match(CommandLine, "(win32_bios|win32_baseboard|win32_systemenclosure|win32_motherboarddevice)"),
    1, 0)
| eval UefiFirmware=if(
    match(Image, "(powershell|pwsh)\.exe$") AND
    match(CommandLine, "(confirm-securebootefi|get-securebootpolicy|get-securebootuefi)"),
    1, 0)
| eval FirmwareTool=if(
    match(Image, "(flashrom|fwupdmgr|dmidecode|biosdecode|afudos|afuwin|amiflash|fpt\.exe|fptw64)") OR
    (match(Image, "bcdedit\.exe$") AND match(CommandLine, "firmware")),
    1, 0)
| eval FirmwareEnumScore=WmicFirmware + PsFirmware + UefiFirmware + FirmwareTool
| where FirmwareEnumScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WmicFirmware, PsFirmware, UefiFirmware, FirmwareTool, FirmwareEnumScore
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks
Security baseline and compliance tools (CIS-CAT, Microsoft Security Compliance Toolkit) verifying Secure Boot enablement, UEFI settings, and firmware versions against hardening benchmarks

Elastic Security (EQL)

eql

// T1592.003 — Firmware Enumeration
process where process.name : ("wmic.exe", "powershell.exe", "pwsh.exe")
  and process.command_line : (
    "*Win32_BIOS*", "*Win32_BaseBoard*", "*Win32_SystemEnclosure*",
    "*Confirm-SecureBootUEFI*", "*Get-SecureBootPolicy*",
    "*flashrom*", "*dmidecode*", "*biosdecode*"
  )

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("CommandLine") ILIKE '%win32_bios%' OR LOWER("CommandLine") ILIKE '%win32_baseboard%' OR LOWER("CommandLine") ILIKE '%confirm-securebootefi%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("CommandLine") ILIKE '%win32_bios%' OR LOWER("CommandLine") ILIKE '%win32_baseboard%' OR LOWER("CommandLine") ILIKE '%confirm-securebootefi%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks

Google Chronicle / SecOps

yaral

rule t1592_003_firmware {
  meta:
    author = "df00tech"
    description = "Detects Firmware (T1592.003)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1592.003"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1592.003 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1592.003 - OSINTTool";
    * => TechniqueLabel := "T1592.003 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks

Firmware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections