title: Compromise Hardware Supply Chain (T1195.003) id: df00tech-t1195-003 status: experimental description: "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices such as servers, workstations, network infrastructure, or peripherals. Real-world examples include UEFI firmware implants (LoJax, CosmicStrand, BlackLotus), compromised network interface card firmware (Equation Group capabilities), and server baseboard management controller (BMC) implants. Detection is inherently constrained because the compromise predates the device's arrival, often manifesting as unexpected kernel-mode drivers, firmware modification activity, anomalous out-of-band management traffic, or covert network channels established through compromised NIC or BMC firmware. Defenders should focus on firmware integrity monitoring, hardware inventory baselining, driver signing verification, and anomalous network activity from system-level processes." references: - https://attack.mitre.org/techniques/T1195/003/ - https://df00tech.com/detections/T1195.003 author: df00tech date: 2026/04/18 tags: - attack.t1195.003 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Hardware vendor management software (Dell SupportAssist, HP Support Assistant, Lenovo Vantage) legitimately executes firmware flash utilities and installs drivers during scheduled updates — filter by known vendor parent processes and scheduled maintenance windows" - "Windows Update and Windows Driver Framework (drvinst.exe, setuphost.exe, TrustedInstaller.exe) legitimately create PCI registry keys and install drivers during OS updates — these processes are explicitly excluded but verify parent process chains" - "IT administrators running firmware audit tools (chipsec, flashrom in read-only mode, MEInfo) for inventory or security assessments — coordinate with asset management teams to identify authorized audit activity" - "New hardware installations (RAM, PCIe NIC, GPU, storage controllers) added by IT staff post-deployment legitimately trigger PCI device registration events — correlate with IT change tickets" - Pre-production hardware validation labs where firmware is legitimately flashed as part of manufacturing QA processes — these environments may need separate detection policies - "Third-party hardware management agents (Dell OMSA, HPE iLO Amplifier, Lenovo XClarity) may load drivers from non-standard installation paths during their own setup procedures" level: critical