Detect Firmware in Elastic Security
Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include type and versions on specific hosts, which may be used to infer more information about hosts in the environment such as configuration, purpose, age, and patch level. Adversaries gather this information through direct elicitation via phishing, OSINT from job postings, assessment reports, and purchase invoices, or by executing firmware enumeration commands on already-compromised systems during post-exploitation reconnaissance. This intelligence supports subsequent targeting through firmware-based exploits, UEFI implants (LoJax, MosaicRegressor, CosmicStrand), and supply chain attacks. The detection challenge is significant: external OSINT-based firmware gathering generates no internal telemetry; only in-environment enumeration following initial compromise is detectable.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1592 Gather Victim Host Information
- Sub-technique
- T1592.003 Firmware
- Canonical reference
- https://attack.mitre.org/techniques/T1592/003/
Elastic Detection Query
// T1592.003 — Firmware Enumeration
process where process.name : ("wmic.exe", "powershell.exe", "pwsh.exe")
and process.command_line : (
"*Win32_BIOS*", "*Win32_BaseBoard*", "*Win32_SystemEnclosure*",
"*Confirm-SecureBootUEFI*", "*Get-SecureBootPolicy*",
"*flashrom*", "*dmidecode*", "*biosdecode*"
)Elastic EQL detection for Firmware (T1592.003). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
- Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
- System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
- Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks
Other platforms for T1592.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMIC BIOS Firmware Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe, CommandLine containing 'bios get SMBIOSBIOSVersion'. Security Event ID 4688 if process command line auditing is enabled. WMI Activity Event ID 5857 or 5860 in Microsoft-Windows-WMI-Activity/Operational log recording Win32_BIOS class query.
- Test 2PowerShell WMI Firmware Enumeration via Get-WmiObject
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject Win32_BIOS'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full command content. WMI Activity log entries for Win32_BIOS and Win32_BaseBoard class queries.
- Test 3PowerShell CIM Firmware Enumeration with Secure Boot Status Check
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance' and 'Win32_BIOS' and 'Confirm-SecureBootUEFI'. PowerShell ScriptBlock Log Event ID 4104. WMI Activity log for CIM query against Win32_BIOS class.
- Test 4Registry-based BIOS Firmware Data Extraction
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'HARDWARE\DESCRIPTION\System\BIOS'. Security Event ID 4663 (Object Access - registry) if SACL auditing is configured on the BIOS key. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 5WMIC Motherboard and System Enclosure Firmware Enumeration
Expected signal: Two Sysmon Event ID 1 records: first for 'wmic baseboard get' and second for 'wmic systemenclosure get'. Security Event ID 4688 records for both wmic.exe invocations if process command line auditing is enabled. WMI Activity log entries for Win32_BaseBoard and Win32_SystemEnclosure class queries.
References (9)
- https://attack.mitre.org/techniques/T1592/003/
- https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://www.kaspersky.com/about/press-releases/2021_mosaicregressor
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-bios
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-baseboard
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.003/T1592.003.md
Unlock Pro Content
Get the full detection package for T1592.003 including response playbook, investigation guide, and atomic red team tests.