title: Hardware (T1592.001) id: df00tech-t1592-001 status: experimental description: "Adversaries may gather information about the victim's host hardware that can be used during targeting. Hardware details may include types and versions of specific hosts, as well as the presence of additional defensive components such as smart card readers, biometric authentication hardware, TPM chips, and dedicated encryption co-processors. Adversaries gather this information via direct Active Scanning (ex: banner grabbing, SNMP enumeration), Phishing for Information, or by compromising third-party websites and deploying malicious JavaScript reconnaissance frameworks (such as ScanBox) that silently collect host hardware telemetry from visiting users. Hardware information may also be passively harvested from publicly accessible sources including job postings listing specific hardware requirements, LinkedIn profiles, assessment reports, equipment purchase invoices, and network topology diagrams. Collected hardware intelligence enables adversaries to tailor exploits for specific processor architectures, identify hardware vulnerabilities (e.g., Spectre/Meltdown variants), plan hardware supply chain attack opportunities (T1195.003), and understand the physical security posture of the target — including whether hardware-based authentication is in use." references: - https://attack.mitre.org/techniques/T1592/001/ - https://df00tech.com/detections/T1592.001 author: df00tech date: 2026/03/13 tags: - attack.t1592.001 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: network_connection product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Analytics and telemetry platforms (Mixpanel, Amplitude, Heap, FullStory) that legitimately collect browser device metrics including screen resolution, hardware concurrency, and device memory for UX analytics" - "Authorized vulnerability management tools (Qualys, Rapid7 InsightVM, Tenable Nessus, Qualys VMDR) performing scheduled asset inventory scans including SNMP hardware enumeration from known scanner IPs" - "Web application performance monitoring frameworks (Modernizr, feature-detective.js) that detect browser hardware capabilities for progressive enhancement and responsive design decisions" - "Internal IT asset management systems performing SNMP polling for hardware inventory, network management, or capacity planning — typically from known NMS IP ranges" - "Content delivery networks and web performance tools (New Relic Browser, Datadog RUM, Dynatrace) that collect device/hardware metrics as part of real user monitoring" level: medium