MITRE ATT&CK // Reconnaissance

T1592.001
Gather Victim Host Info:
Hardware

An adversary silently probes your infrastructure to catalog every physical component, CPU architecture, memory modules, graphics processors, network adapters, storage devices, and hardware identifiers, assembling a complete hardware fingerprint for targeted exploitation.

// Hardware Enumeration Simulation

CPU

PROCESSOR

Intel Xeon E5-2680 v4

MEMORY

64GB DDR4-2400 ECC

GPU

GRAPHICS

NVIDIA A100 80GB PCIe

NETWORK

Intel X710-DA2 10GbE

NVMe SSD

STORAGE

Samsung PM9A3 3.84TB NVMe

HARDWARE FINGERPRINT ASSEMBLED

CPUIntel Xeon E5-2680 v4 @ 2.40GHz

RAM64 GB DDR4-2400 ECC (4x16GB)

GPUNVIDIA A100 80GB PCIe Gen4

NICIntel X710-DA2, MAC: AA:BB:CC:11:22:33

STORAGESamsung PM9A3 3.84TB NVMe

TPMInfineon SLB9670 v2.0, ENABLED

SERIALSRF-2024-8A3C-D7F1

HARDWARE EXPOSURE RISK

RISK LEVEL: 95 / 100, CRITICAL

Understanding the Threat

Why Hardware Information Gathering Matters

Hardware information gathering lets attackers learn CPU architecture, available RAM, GPU models, network interface cards, peripheral devices, and hardware identifiers including MAC addresses and serial numbers. This intelligence is not merely reconnaissance, it is the foundation upon which targeted, hardware-specific exploits are built. When an adversary understands your exact hardware configuration, they can determine exploit compatibility (such as specific CPU vulnerabilities like Spectre, Meltdown, or Downfall), plan lateral movement paths based on network adapter capabilities, and create hardware-specific implants designed to evade detection on your particular platform. The precision of hardware-aware attacks makes them dramatically more effective than generic exploits, increasing success rates while reducing the attacker's exposure.

800+

Endpoints in a single hospital network found vulnerable to hardware-specific attacks due to unpatched Intel CPU microcode, enabling precise exploit targeting by ransomware groups during active campaigns.

91%

Reduction in hardware information exposure achieved after implementing SNMP hardening, WMI access restrictions, and quarterly hardware inventory audits across a healthcare network's public-facing systems.

SB25-335

CISA advisory number identifying NVIDIA DGX Spark hardware vulnerabilities where attackers could tamper with hardware controls, demonstrating real-world consequences of hardware-level reconnaissance in AI infrastructure.

72hrs

Duration that ransomware encrypted patient records across three hospitals after a hardware profiling attack bypassed intrusion detection systems calibrated for different hardware signatures.

Authoritative Sources & References

Definitions

Key Terms & Concepts

Simple Definition

Hardware (T1592.001) is a sub-technique of MITRE ATT&CK's Gather Victim Host Information tactic where adversaries methodically collect intelligence about a victim's physical and virtual hardware components, including CPU type and architecture, RAM capacity and speed, storage devices, network adapters, GPU models, peripheral devices, and unique hardware identifiers such as MAC addresses, UUIDs, and serial numbers. This gathered information directly supports the attacker's ability to select hardware-compatible exploits, design targeted implants that will execute reliably on the specific infrastructure, and identify potential lateral movement pathways through known hardware vulnerabilities. Organizations that expose hardware details through management protocols like SNMP, WMI, or IPMI provide adversaries with the precise intelligence needed to craft devastating, hardware-specific attacks that bypass generic security controls.

Everyday Analogy

Think of a car thief who first checks what model, year, and engine type a car has before deciding which lock-picking tools to bring. A 2005 Honda Civic requires completely different techniques than a 2024 Tesla with a digital key system. The thief who knows your exact vehicle configuration can walk up with the perfect tool instead of wasting time fumbling with incompatible equipment, and they can avoid triggering the wrong alarm system. Similarly, an attacker who knows your exact hardware configuration, that you're running Intel Xeon processors vulnerable to the Downfall attack, that your network cards are older Intel I350 models without modern firmware protections, or that your TPM module is a specific version with known quirks, can select the perfect exploit tailored to your infrastructure. This hardware-specific approach dramatically increases their success rate while reducing the noise that typically alerts defenders. Every piece of hardware information an adversary gathers narrows their target profile and sharpens their attack tools.

Case Study

Real-World Scenario: MedConnect Health Systems

Aisha Patel

Chief Infrastructure Officer, MedConnect Health Systems (2,500 endpoints across 3 hospitals)

Before: Hardware Information Freely Exposed

MedConnect's public-facing systems freely disclosed hardware information through SNMP community strings left at default, unrestricted WMI access, and unfiltered HTTP response headers that leaked server hardware details. A sophisticated ransomware group profiled their hardware over several weeks, discovering that 800 endpoints still ran Intel CPUs affected by the Spoiler speculative execution vulnerability, and 200 older NICs lacked modern firmware protections against MAC flooding and spoofing attacks. The attackers crafted a hardware-specific ransomware variant that precisely targeted the Intel microcode vulnerabilities they had identified. This custom payload bypassed MedConnect's intrusion detection system because the IDS signatures were calibrated for different hardware profiles, the attack traffic looked like normal system operations on the specific MedConnect hardware. The ransomware encrypted patient records across all three hospitals for 72 hours before the IT team could restore from backups, disrupting patient care and triggering regulatory investigations under HIPAA breach notification requirements.

✓

After: Comprehensive Hardware Security Controls

Following the devastating breach, Aisha Patel implemented a comprehensive hardware information disclosure control program. She disabled SNMP on all internet-facing systems, replacing it with encrypted monitoring protocols. She configured strict WMI access restrictions using Windows Firewall rules and group policies that limited WMI queries to authenticated administrative accounts only. Her team deployed hardware-based security modules (TPM 2.0 and HSMs) across all endpoints for secure boot attestation and hardware integrity verification. She established a quarterly hardware inventory audit using automated discovery tools that identified and flagged any new or changed hardware components. Finally, she implemented HTTP header filtering to strip hardware-identifying information from all public-facing server responses. These measures reduced hardware information exposure by 91% and eliminated the reconnaissance surface that the ransomware group had originally exploited, significantly raising the cost and complexity of any future hardware-targeted attack.

Actionable Steps

7-Step Hardware Security Hardening Guide

Conduct a Hardware Asset Inventory

Deploy automated discovery tools (Lansweeper, PDQ Inventory, or open-source alternatives like OCS Inventory) to catalog every hardware component across your network, including CPU models, RAM configurations, GPU installations, NIC models, storage devices, and peripheral equipment.
Document hardware serial numbers, firmware versions, and BIOS/UEFI revision levels for every endpoint. Cross-reference against vendor vulnerability databases to identify devices with known hardware-level security flaws.
Establish a centralized hardware asset database with automated change detection that alerts your security team whenever new hardware is connected or existing components are modified, replaced, or removed from the network.

Disable Hardware Information Disclosure Protocols

Disable or restrict SNMP on all internet-facing and DMZ systems. If SNMP monitoring is required, migrate to SNMPv3 with encrypted authentication and authorization, and configure access control lists limiting queries to specific management stations.
Strip hardware-identifying information from HTTP response headers (Server, X-Powered-By, X-AspNet-Version) using web server configurations or reverse proxy header filtering rules that prevent external enumeration of your server hardware platform.
Disable UPnP (Universal Plug and Play) and SSDP (Simple Service Discovery Protocol) on network perimeters to prevent automated hardware discovery tools from mapping your internal device topology and hardware capabilities from outside the network.

Secure Management Interfaces (SNMP, WMI, IPMI)

Restrict WMI access using Windows Firewall rules and Group Policy Objects that limit remote WMI connections to specific administrative subnets and authenticated service accounts. Enable WMI activity logging to detect unauthorized hardware enumeration attempts.
Segment IPMI/BMC management interfaces onto dedicated management VLANs with strict firewall rules that prevent lateral access from production networks. Change all default IPMI credentials immediately and enable two-factor authentication where supported by your server hardware.
Monitor management protocol traffic for anomalous query patterns, large volumes of WMI requests targeting hardware classes (Win32_Processor, Win32_NetworkAdapter, Win32_PhysicalMemory) or systematic SNMP walks of hardware OIDs are strong indicators of adversary reconnaissance activity.

Implement Hardware-Based Security (TPM, Secure Boot)

Enable TPM 2.0 (Trusted Platform Module) on all supported endpoints and configure it for secure boot attestation. TPM-bound encryption keys ensure that encrypted data remains inaccessible even if storage media is physically removed from the device.
Enable UEFI Secure Boot to prevent unauthorized bootloaders, kernel-level rootkits, and hardware-specific malware from executing during the boot process before OS-level security controls are active. This directly mitigates hardware implants designed for specific platforms.
Implement measured boot with remote attestation that verifies the integrity of every hardware component and firmware stage during system startup, detecting any unauthorized modifications to hardware firmware, BIOS settings, or boot components.

Deploy Network Access Control (NAC)

Implement 802.1X network authentication to ensure only authorized hardware devices with known MAC addresses, certificates, or hardware tokens can connect to the network. Unknown devices should be automatically quarantined for inspection before receiving network access.
Configure MAC address filtering and port security on all network switches to limit the number of MAC addresses per port, preventing MAC spoofing attacks and unauthorized hardware from gaining network access through legitimate physical connections.
Deploy device fingerprinting through your NAC solution that identifies hardware types, models, and configurations at connection time. Flag and investigate any device whose hardware profile does not match the expected baseline for its network segment or user role.

Monitor for Hardware Enumeration Attempts

Deploy endpoint detection and response (EDR) sensors configured to alert on hardware enumeration commands including wmic cpu get, Get-WmiObject Win32_Processor, lshw, dmidecode, lscpu, and lspci, these are the exact commands adversaries use during T1592.001 reconnaissance.
Create detection rules for scripts and tools that query multiple hardware classes in rapid succession. Legitimate administrative tools typically query hardware info infrequently; an automated sweep through CPU, RAM, GPU, NIC, and storage information in a short timeframe is highly suspicious.
Monitor network traffic for hardware fingerprinting signatures including unusual SMB/CIFS queries to administrative shares, LDAP queries targeting hardware attributes, and DHCP requests that attempt to enumerate hardware-specific information from network infrastructure devices.

Establish a Hardware Lifecycle Management Program

Create a formal hardware lifecycle policy that tracks every device from procurement through decommissioning, including firmware version tracking, vulnerability assessment schedules, and mandatory retirement dates for hardware that no longer receives security patches from the vendor.
Subscribe to hardware vendor security advisories and CISA alerts to stay informed about newly discovered hardware vulnerabilities affecting your deployed components. Maintain a risk register that maps each hardware model in your inventory to known vulnerabilities and available mitigations.
Implement a hardware decommissioning procedure that includes secure data destruction (NIST SP 800-88 guidelines), firmware wiping, and physical destruction or certified recycling of storage media to prevent hardware-level data recovery by adversaries who may have already profiled your equipment.

Lessons Learned

Common Mistakes & Best Practices

Common Mistakes

Leaving SNMP on Public-Facing Systems

Running SNMP with default or weak community strings on internet-exposed devices gives attackers a direct channel to enumerate every hardware component, CPU, memory, interfaces, and serial numbers, without triggering any authentication challenges or audit logs.

Ignoring Firmware Vulnerabilities

Focusing security efforts exclusively on software patches while neglecting hardware firmware updates leaves critical attack surfaces open. Vulnerabilities in BIOS, BMC, NIC firmware, and SSD controllers provide persistence mechanisms that survive OS reinstalls and disk wipes.

Allowing Unrestricted WMI Remote Access

Permitting unauthenticated or broadly scoped WMI queries from any network segment enables adversaries to harvest complete hardware profiles of Windows systems, including CPU capabilities, installed GPUs, network adapter models, and TPM status through standard WMI hardware classes.

No Hardware Change Detection

Operating without automated hardware change monitoring means unauthorized devices, hardware implants, or modified components can be introduced into the network and remain undetected indefinitely, silently collecting data or providing persistent backdoor access.

Using Default IPMI Credentials

Leaving IPMI/BMC management interfaces with factory-default usernames and passwords provides attackers full hardware-level management access to servers, including the ability to read hardware inventory, modify BIOS settings, and install firmware-level rootkits.

Best Practices

Implement Defense-in-Depth for Hardware Info

Layer multiple controls including protocol hardening (disable SNMPv1/v2c, restrict WMI), network segmentation (isolate management interfaces), endpoint configuration (enable Secure Boot, TPM), and monitoring (detect enumeration commands) to create overlapping protections against hardware reconnaissance.

Maintain Comprehensive Hardware Baselines

Document the exact hardware configuration of every system in your environment including CPU stepping, RAM specifications, NIC firmware versions, and storage controller models. Compare current state against baselines daily to detect unauthorized hardware modifications or additions.

Encrypt All Management Protocol Traffic

Use SNMPv3 with AES encryption, WinRM with HTTPS instead of unencrypted WMI, and IPMI-over-LAN with TLS to ensure that even if an attacker intercepts management traffic, they cannot read the hardware information being transmitted between systems.

Deploy Hardware Attestation and Integrity Checks

Enable TPM-based remote attestation that cryptographically verifies hardware configurations at boot time. Deploy runtime integrity monitoring tools that detect unauthorized firmware modifications to network cards, storage controllers, and other peripheral devices between reboots.

Conduct Regular Hardware Security Audits

Schedule quarterly audits specifically focused on hardware security posture: verify firmware currency, test SNMP/WMI exposure from external perspectives, review management interface access logs, and validate that hardware change detection systems are functioning and properly tuned.

Opposing Perspectives

Red Team vs Blue Team View

Offensive Perspective

Red Team: Hardware as the Key

For the red team, hardware information is the skeleton key that unlocks hardware-specific exploitation paths. Before launching any payload, we methodically enumerate every hardware component to identify the exact attack surface we are facing. Knowing the CPU model tells us which speculative execution vulnerabilities are exploitable. The NIC model reveals whether firmware-level attacks like Silentbob are feasible. GPU information indicates whether GPU-side data exfiltration techniques can bypass network monitoring. The storage controller model determines if firmware-based persistence is achievable. Every hardware detail we collect narrows our exploit selection and increases our probability of success while reducing our operational noise footprint.

wmic cpu get Name,Caption,Architecture
Get-WmiObject Win32_NetworkAdapter
dmidecode -t processor,memory,network
lshw -short -class processor,display,network
nmap -sU -p 161 --script snmp-hw-info
python -c "import psutil; print(psutil.cpu_freq())"

Defensive Perspective

Blue Team: Protecting Hardware Intelligence

The blue team must treat hardware information as sensitive data that requires the same protection as credentials and encryption keys. Our defense strategy focuses on minimizing hardware information exposure through protocol hardening, detecting reconnaissance activity through behavioral analytics, and validating hardware integrity through attestation mechanisms. We deploy honeypots running SNMP and WMI services to detect and profile hardware enumeration attempts in real time. We correlate hardware query patterns across endpoints to identify coordinated reconnaissance campaigns. Most importantly, we maintain continuous hardware baselines that alert us to any unauthorized changes, because hardware modifications are often the precursor to persistent implants that survive traditional remediation.

Enable Windows Event Log: WMI Activity / Operation
Deploy SNMP honeypots (Canarytokens, Snort)
Sysmon Event ID 10-ProcessAccess monitoring
Configure WMI firewall: restrict to admin VLANs
TPM attestation: verify boot measurements
EDR rule: alert on dmidecode/wmic hardware queries

Detection Focus

Threat Hunter's Eye

Hunting for Hardware Enumeration

Threat hunters investigating potential T1592.001 activity should focus on identifying anomalous patterns of hardware information gathering that deviate from normal administrative behavior. The key differentiator between legitimate system management and adversarial reconnaissance is breadth, velocity, and source, attackers tend to query multiple hardware classes across many systems in rapid succession, often from unusual source IPs or user accounts, while legitimate administrators typically target specific systems for specific purposes. Hunt for correlations between hardware enumeration commands and subsequent exploitation attempts, as hardware gathering is almost always a precursor to more targeted attacks.

Pay special attention to hardware queries originating from non-administrative accounts, unusual network segments, or systems outside normal management schedules. Correlate SNMP walk activity targeting hardware OIDs with source IP geolocation to identify potential external reconnaissance. Monitor for scripts (PowerShell, Python, Bash) that programmatically query hardware information, these automation patterns are strong indicators of adversary tooling rather than manual administration. Cross-reference hardware query events with threat intelligence feeds that map specific enumeration patterns to known threat actor methodologies.

IOC: Multiple WMIC/Get-WmiObject calls to hardware classes (Win32_Processor, Win32_NetworkAdapter, Win32_PhysicalMemory) from a single host within 5 minutes
IOC: SNMP bulk walks (GetBulkRequest) targeting OID branches .1.3.6.1.2.1.1 (system), .1.3.6.1.2.1.2 (interfaces), .1.3.6.1.2.1.25 (hardware) from non-management IPs
IOC: SSH sessions from unknown sources executing dmidecode, lshw, lscpu, lspci, lsusb commands in rapid succession across multiple servers
IOC: PowerShell scripts using Get-CimInstance or Get-WmiObject querying 3+ hardware classes with -ComputerName parameter targeting multiple remote systems
IOC: WMI event subscriptions (EventFilter/Consumer pairs) created to monitor hardware configuration changes, indicates attacker establishing hardware change awareness
IOC: Unusual DHCP Inform requests or LLDP responses querying hardware-specific attributes from endpoints not normally performing network discovery
IOC: Process execution of hardware enumeration tools (HWiNFO, CPU-Z, AIDA64, Speccy) on servers or infrastructure systems where they are not typically installed or used

Explore the Full T1592 Attack Surface

Hardware enumeration is just one vector adversaries use to profile victim environments. Explore the complete T1592 technique family to understand how attackers gather comprehensive host intelligence across software, firmware, and client configurations, and build a defense strategy that covers every angle.

T1592, Parent Technique T1592.002, Software T1592.003, Firmware T1592.004, Client Configs

Hardware

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Hardware DET0887

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
February 13, 2026
No Comments