T1592.003 Splunk · SPL

Detect Firmware in Splunk

Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include type and versions on specific hosts, which may be used to infer more information about hosts in the environment such as configuration, purpose, age, and patch level. Adversaries gather this information through direct elicitation via phishing, OSINT from job postings, assessment reports, and purchase invoices, or by executing firmware enumeration commands on already-compromised systems during post-exploitation reconnaissance. This intelligence supports subsequent targeting through firmware-based exploits, UEFI implants (LoJax, MosaicRegressor, CosmicStrand), and supply chain attacks. The detection challenge is significant: external OSINT-based firmware gathering generates no internal telemetry; only in-environment enumeration following initial compromise is detectable.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.003 Firmware
Canonical reference
https://attack.mitre.org/techniques/T1592/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval WmicFirmware=if(
    match(Image, "wmic\.exe$") AND match(CommandLine, "(bios|baseboard|win32_bios|win32_baseboard|win32_systemenclosure|motherboarddevice)"),
    1, 0)
| eval PsFirmware=if(
    match(Image, "(powershell|pwsh)\.exe$") AND
    match(CommandLine, "(get-wmiobject|get-ciminstance|gwmi)") AND
    match(CommandLine, "(win32_bios|win32_baseboard|win32_systemenclosure|win32_motherboarddevice)"),
    1, 0)
| eval UefiFirmware=if(
    match(Image, "(powershell|pwsh)\.exe$") AND
    match(CommandLine, "(confirm-securebootefi|get-securebootpolicy|get-securebootuefi)"),
    1, 0)
| eval FirmwareTool=if(
    match(Image, "(flashrom|fwupdmgr|dmidecode|biosdecode|afudos|afuwin|amiflash|fpt\.exe|fptw64)") OR
    (match(Image, "bcdedit\.exe$") AND match(CommandLine, "firmware")),
    1, 0)
| eval FirmwareEnumScore=WmicFirmware + PsFirmware + UefiFirmware + FirmwareTool
| where FirmwareEnumScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WmicFirmware, PsFirmware, UefiFirmware, FirmwareTool, FirmwareEnumScore
| sort - _time
medium severity low confidence

Detects firmware enumeration activity using Sysmon Event ID 1 (Process Creation). Evaluates process command lines against four firmware reconnaissance branches: WMIC direct firmware class queries (Win32_BIOS, Win32_BaseBoard), PowerShell WMI-based firmware enumeration (Get-WmiObject, Get-CimInstance against firmware classes), PowerShell UEFI and Secure Boot status queries (Confirm-SecureBootUEFI, Get-SecureBootPolicy), and execution of dedicated firmware tools (flashrom, Intel FPT, AMI AFU, fwupdmgr). The cumulative FirmwareEnumScore supports alert prioritization: score of 1 for routine investigation, higher scores or FirmwareTool=1 for immediate escalation.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT asset management platforms (SCCM, Lansweeper, PDQ Inventory, ManageEngine AssetExplorer) that regularly inventory hardware and firmware versions across the fleet via scheduled WMI queries
  • Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) collecting firmware version data during scheduled authenticated scans to assess BIOS/UEFI patch compliance
  • System administrators manually querying firmware versions before hardware refresh cycles, BIOS upgrade projects, or troubleshooting UEFI Secure Boot and TPM configuration issues
  • Hardware vendor diagnostic tools (Dell SupportAssist, HP Support Assistant, Lenovo Vantage, Lenovo System Update) that query Win32_BIOS and Win32_BaseBoard during automated health checks
  • Security baseline and compliance tools (CIS-CAT, Microsoft Security Compliance Toolkit) verifying Secure Boot enablement, UEFI settings, and firmware versions against hardening benchmarks
Download portable Sigma rule (.yml)

Other platforms for T1592.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMIC BIOS Firmware Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\wbem\WMIC.exe, CommandLine containing 'bios get SMBIOSBIOSVersion'. Security Event ID 4688 if process command line auditing is enabled. WMI Activity Event ID 5857 or 5860 in Microsoft-Windows-WMI-Activity/Operational log recording Win32_BIOS class query.

  2. Test 2PowerShell WMI Firmware Enumeration via Get-WmiObject

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject Win32_BIOS'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full command content. WMI Activity log entries for Win32_BIOS and Win32_BaseBoard class queries.

  3. Test 3PowerShell CIM Firmware Enumeration with Secure Boot Status Check

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance' and 'Win32_BIOS' and 'Confirm-SecureBootUEFI'. PowerShell ScriptBlock Log Event ID 4104. WMI Activity log for CIM query against Win32_BIOS class.

  4. Test 4Registry-based BIOS Firmware Data Extraction

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'HARDWARE\DESCRIPTION\System\BIOS'. Security Event ID 4663 (Object Access - registry) if SACL auditing is configured on the BIOS key. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  5. Test 5WMIC Motherboard and System Enclosure Firmware Enumeration

    Expected signal: Two Sysmon Event ID 1 records: first for 'wmic baseboard get' and second for 'wmic systemenclosure get'. Security Event ID 4688 records for both wmic.exe invocations if process command line auditing is enabled. WMI Activity log entries for Win32_BaseBoard and Win32_SystemEnclosure class queries.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1592.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.001HardwareT1592.002SoftwareT1592.004Client Configurations

Related Techniques

T1592Gather Victim Host InformationT1592.001HardwareT1592.002SoftwareT1082System Information DiscoveryT1047Windows Management InstrumentationT1542Pre-OS BootT1542.001System FirmwareT1195.003Compromise Hardware Supply ChainT1190Exploit Public-Facing ApplicationT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections