Detect Firmware in Microsoft Sentinel
Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include type and versions on specific hosts, which may be used to infer more information about hosts in the environment such as configuration, purpose, age, and patch level. Adversaries gather this information through direct elicitation via phishing, OSINT from job postings, assessment reports, and purchase invoices, or by executing firmware enumeration commands on already-compromised systems during post-exploitation reconnaissance. This intelligence supports subsequent targeting through firmware-based exploits, UEFI implants (LoJax, MosaicRegressor, CosmicStrand), and supply chain attacks. The detection challenge is significant: external OSINT-based firmware gathering generates no internal telemetry; only in-environment enumeration following initial compromise is detectable.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1592 Gather Victim Host Information
- Sub-technique
- T1592.003 Firmware
- Canonical reference
- https://attack.mitre.org/techniques/T1592/003/
KQL Detection Query
// Branch 1: WMIC direct firmware class queries
let WmicFirmware = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any ("bios", "baseboard", "Win32_BIOS", "Win32_BaseBoard", "Win32_SystemEnclosure", "Win32_MotherboardDevice")
| extend EnumerationMethod = "WMIC_Direct";
// Branch 2: PowerShell WMI firmware class enumeration
let PsFirmware = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where (ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi") and
ProcessCommandLine has_any ("Win32_BIOS", "Win32_BaseBoard", "Win32_SystemEnclosure", "Win32_MotherboardDevice"))
or ProcessCommandLine has_any ("Confirm-SecureBootUEFI", "Get-SecureBootPolicy", "Get-SecureBootUEFI")
| extend EnumerationMethod = "PowerShell_WMI";
// Branch 3: Dedicated firmware inspection or flashing tools
let FirmwareTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("flashrom.exe", "fwupdmgr", "dmidecode", "biosdecode", "AfuDos.exe", "AfuWin64.exe", "AfuWinx64.exe", "AmiFlash.exe", "FPT.exe", "fptw64.exe")
or (FileName =~ "bcdedit.exe" and ProcessCommandLine has "firmware")
| extend EnumerationMethod = "FirmwareTool";
union WmicFirmware, PsFirmware, FirmwareTools
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
EnumerationMethod
| sort by Timestamp descDetects firmware enumeration activity on host systems that may indicate an adversary performing reconnaissance after gaining initial access. Monitors three detection branches: WMIC direct firmware queries (wmic.exe querying Win32_BIOS, Win32_BaseBoard, Win32_SystemEnclosure), PowerShell WMI-based firmware class enumeration (Get-WmiObject and Get-CimInstance against firmware WMI classes, plus Confirm-SecureBootUEFI), and execution of dedicated firmware inspection or flashing tools (flashrom, Intel FPT, AMI AFU utilities, fwupdmgr). Focuses on the post-initial-access in-environment reconnaissance phase; external OSINT-based firmware gathering is not detectable through endpoint telemetry.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
- Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
- System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
- Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks
- Security baseline and compliance tools (CIS-CAT, Microsoft Security Compliance Toolkit) verifying Secure Boot enablement, UEFI settings, and firmware versions against hardening benchmarks
Other platforms for T1592.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMIC BIOS Firmware Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe, CommandLine containing 'bios get SMBIOSBIOSVersion'. Security Event ID 4688 if process command line auditing is enabled. WMI Activity Event ID 5857 or 5860 in Microsoft-Windows-WMI-Activity/Operational log recording Win32_BIOS class query.
- Test 2PowerShell WMI Firmware Enumeration via Get-WmiObject
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject Win32_BIOS'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full command content. WMI Activity log entries for Win32_BIOS and Win32_BaseBoard class queries.
- Test 3PowerShell CIM Firmware Enumeration with Secure Boot Status Check
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance' and 'Win32_BIOS' and 'Confirm-SecureBootUEFI'. PowerShell ScriptBlock Log Event ID 4104. WMI Activity log for CIM query against Win32_BIOS class.
- Test 4Registry-based BIOS Firmware Data Extraction
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'HARDWARE\DESCRIPTION\System\BIOS'. Security Event ID 4663 (Object Access - registry) if SACL auditing is configured on the BIOS key. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 5WMIC Motherboard and System Enclosure Firmware Enumeration
Expected signal: Two Sysmon Event ID 1 records: first for 'wmic baseboard get' and second for 'wmic systemenclosure get'. Security Event ID 4688 records for both wmic.exe invocations if process command line auditing is enabled. WMI Activity log entries for Win32_BaseBoard and Win32_SystemEnclosure class queries.
References (9)
- https://attack.mitre.org/techniques/T1592/003/
- https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://www.kaspersky.com/about/press-releases/2021_mosaicregressor
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-bios
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-baseboard
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.003/T1592.003.md
Unlock Pro Content
Get the full detection package for T1592.003 including response playbook, investigation guide, and atomic red team tests.