T1495

Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. Real-world examples include TrickBot's 'Trickboot' module (2020), which can write or erase UEFI/BIOS firmware of a compromised device, and Bad Rabbit ransomware, which installed a modified bootloader to prevent normal boot-up. Firmware corruption often results in permanent hardware denial-of-availability and may be combined with data destruction for maximum impact.

Microsoft Sentinel / Defender

kusto

let FirmwareToolNames = dynamic([
  "rw.exe", "rw64.exe", "rweverything.exe",
  "chipsec.exe", "chipsec_main.exe",
  "flashrom.exe",
  "fpt.exe", "fptw.exe", "fptw64.exe",
  "afuwin.exe", "afuwin64.exe", "afudos.exe",
  "meinfo.exe", "meinfowin.exe", "meinfowin64.exe",
  "amidewin.exe", "amidewin64.exe",
  "h2offt.exe", "h2offt-w.exe",
  "winphlash.exe", "winphlash64.exe",
  "ubuild.exe", "ubu.exe"
]);
let FirmwareWritePatterns = dynamic([
  "--write", "--erase", "--flash",
  "spi write", "spi.write", "spi_write",
  "bios write", "uefi write", "flash write",
  "nvram write", "WRITESPI", "/WRITESPI",
  "chipsec_util spi write",
  "flashrom -w", "flashrom --write"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe",
  "wscript.exe", "cscript.exe", "mshta.exe",
  "explorer.exe"
]);
// Signal 1: Execution of known firmware manipulation tools
let FirmwareToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
| extend Signal = "KnownFirmwareTool"
| extend RiskDetail = strcat("Firmware tool executed: ", FileName);
// Signal 2: Command-line patterns indicating firmware write or erase operations
let FirmwareWriteCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (FirmwareWritePatterns)
| extend Signal = "FirmwareWriteOperation"
| extend RiskDetail = strcat("Write/erase flag in command: ", ProcessCommandLine);
// Signal 3: PowerShell-based UEFI variable modification or BCD tampering
let UEFITamper = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "Set-SecureBootUEFI", "Set-UEFIVariable",
    "bcdedit /set", "bcdedit /delete", "bcdedit /deletevalue"
  )
| extend Signal = "UEFIOrBCDTamper"
| extend RiskDetail = "PowerShell UEFI variable or BCD modification";
// Combine all signals and enrich with context
union FirmwareToolExec, FirmwareWriteCmd, UEFITamper
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsSystemAccount = AccountName =~ "SYSTEM"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         Signal, RiskDetail, SuspiciousParent, IsSystemAccount
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate firmware updates performed by IT or hardware teams using vendor tools (Dell Command Update, HP BIOSConfigUtility, Lenovo Vantage, Intel ME FW Recovery Tool) during approved maintenance windows
Security research or firmware auditing environments where CHIPSEC or RW-Everything are deployed for authorized vulnerability assessment or UEFI security analysis
OEM factory imaging or provisioning systems that perform BIOS flashing as part of hardware configuration pipelines, typically under a service account from a management process
Automated asset management tools that invoke bcdedit to configure boot options during operating system deployment or repair workflows (e.g., WDS, MDT, SCCM OSD)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval ToolHit=if(
    EventCode=1 AND match(Image, "(?i)(\\\\rw\.exe$|\\\\rw64\.exe$|\\\\rweverything\.exe$|\\\\chipsec\.exe$|\\\\chipsec_main\.exe$|\\\\flashrom\.exe$|\\\\fpt\.exe$|\\\\fptw\.exe$|\\\\fptw64\.exe$|\\\\afuwin\.exe$|\\\\afuwin64\.exe$|\\\\afudos\.exe$|\\\\meinfo\.exe$|\\\\amidewin\.exe$|\\\\h2offt\.exe$|\\\\winphlash\.exe$|\\\\winphlash64\.exe$)"),
    1, 0
  )
| eval WritePatternHit=if(
    EventCode=1 AND match(CommandLine, "(?i)(--write|--erase|--flash|-W\s|-E\s|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|WRITESPI|flashrom\s+-w\b|chipsec_util.spi.write)"),
    1, 0
  )
| eval DriverLoadHit=if(
    EventCode=6 AND match(ImageLoaded, "(?i)(\\\\rw\.sys$|\\\\rwdrv\.sys$|\\\\winio\.sys$|\\\\winio32\.sys$|\\\\winio64\.sys$|\\\\physmem\.sys$|\\\\pmem\.sys$|\\\\dbutil_2_3\.sys$|\\\\rtcore64\.sys$)"),
    1, 0
  )
| eval UEFITamper=if(
    EventCode=1 AND (match(Image, "(?i)\\\\(powershell|pwsh)\.exe$")) AND match(CommandLine, "(?i)(Set-SecureBootUEFI|Set-UEFIVariable|bcdedit.*/set|bcdedit.*/delete)"),
    1, 0
  )
| eval RiskScore=ToolHit + WritePatternHit + (DriverLoadHit * 2) + UEFITamper
| where RiskScore > 0
| eval Signal=case(
    DriverLoadHit=1, "SuspiciousFirmwareDriver",
    WritePatternHit=1 AND ToolHit=1, "FirmwareToolWithWriteOp",
    ToolHit=1, "KnownFirmwareTool",
    UEFITamper=1, "UEFIOrBCDTamper",
    WritePatternHit=1, "FirmwareWritePattern",
    true(), "UnknownFirmwareSignal"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ImageLoaded, EventCode, Signal, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Driver: Driver Load Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 6

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate firmware updates performed by IT or hardware teams using vendor tools during approved maintenance windows — parent process will typically be a vendor update service or SCCM agent
Security research or firmware auditing environments where CHIPSEC or RW-Everything are used for authorized UEFI security assessments
OEM hardware provisioning pipelines that perform BIOS flashing as part of device imaging, loading expected vendor-signed drivers
Hardware security platforms (Eclypsium Enterprise, Binarly) that load ring-0 drivers for authorized firmware scanning and vulnerability assessment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "ParentProcessName" AS parent_process,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*\\(rw\.exe|rw64\.exe|rweverything\.exe|chipsec\.exe|chipsec_main\.exe|flashrom\.exe|fpt\.exe|fptw\.exe|fptw64\.exe|afuwin\.exe|afuwin64\.exe|afudos\.exe|meinfo\.exe|meinfowin\.exe|meinfowin64\.exe|amidewin\.exe|amidewin64\.exe|h2offt\.exe|h2offt-w\.exe|winphlash\.exe|winphlash64\.exe|ubuild\.exe|ubu\.exe)$' THEN 'KnownFirmwareTool'
    WHEN LOWER("Command") MATCHES '.*(--write|--erase|--flash|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|writespi|flashrom\s+-w|chipsec_util.spi.write).*' THEN 'FirmwareWriteOperation'
    WHEN LOWER("Process Name") MATCHES '.*(powershell|pwsh)\.exe$' AND LOWER("Command") MATCHES '.*(set-securebootuefi|set-uefivariable|bcdedit.*/set|bcdedit.*/delete).*' THEN 'UEFIOrBCDTamper'
    WHEN LOWER("Filename") MATCHES '.*\\(rw\.sys|rwdrv\.sys|winio\.sys|winio32\.sys|winio64\.sys|physmem\.sys|pmem\.sys|dbutil_2_3\.sys|rtcore64\.sys)$' THEN 'SuspiciousFirmwareDriver'
    ELSE 'UnknownFirmwareSignal'
  END AS signal
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15)
  AND starttime > NOW() - 24 HOURS
  AND (
    LOWER("Process Name") MATCHES '.*\\(rw\.exe|rw64\.exe|rweverything\.exe|chipsec\.exe|chipsec_main\.exe|flashrom\.exe|fpt\.exe|fptw\.exe|fptw64\.exe|afuwin\.exe|afuwin64\.exe|afudos\.exe|meinfo\.exe|h2offt\.exe|winphlash\.exe|ubuild\.exe|ubu\.exe)$'
    OR LOWER("Command") MATCHES '.*(--write|--erase|--flash|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|writespi|flashrom\s+-w).*'
    OR (LOWER("Process Name") MATCHES '.*(powershell|pwsh)\.exe$' AND LOWER("Command") MATCHES '.*(set-securebootuefi|set-uefivariable|bcdedit).*')
    OR LOWER("Filename") MATCHES '.*\\(rw\.sys|rwdrv\.sys|winio\.sys|winio32\.sys|winio64\.sys|physmem\.sys|pmem\.sys|dbutil_2_3\.sys|rtcore64\.sys)$'
  )
ORDER BY starttime DESC
LIMIT 500

critical severity high confidence

Data Sources

QRadar Windows Sysmon DSM QRadar Windows Security Event Log DSM QRadar WinCollect Agent

Required Tables

events

False Positives

Scheduled BIOS/UEFI firmware updates deployed by endpoint management tools such as SCCM, Intune, or vendor-specific utilities that execute fpt.exe or h2offt.exe as child processes
Chipsec or RWEverything used by internal hardware validation teams performing pre-deployment firmware audits on new endpoint models
bcdedit commands executed legitimately by Windows Update, BitLocker configuration scripts, or IT provisioning automation during imaging workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "CommandLine: *" as command_line nodrop
| parse field=Message "ImageLoaded: *" as image_loaded nodrop
| parse field=Message "ParentImage: *" as parent_image nodrop
| parse field=Message "User: *" as username nodrop
| parse field=Message "Computer: *" as hostname nodrop
| parse field=Message "EventID: *" as event_id nodrop
| where event_id in ("1", "6", "7")
| eval tool_hit = if(matches(toLowerCase(process_image), ".*(\\\\rw\.exe|\\\\rw64\.exe|\\\\rweverything\.exe|\\\\chipsec\.exe|\\\\chipsec_main\.exe|\\\\flashrom\.exe|\\\\fpt\.exe|\\\\fptw\.exe|\\\\fptw64\.exe|\\\\afuwin\.exe|\\\\afuwin64\.exe|\\\\afudos\.exe|\\\\meinfo\.exe|\\\\amidewin\.exe|\\\\h2offt\.exe|\\\\winphlash\.exe|\\\\ubuild\.exe|\\\\ubu\.exe)$"), 1, 0)
| eval write_hit = if(matches(toLowerCase(command_line), ".*(--write|--erase|--flash|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|writespi|flashrom\\s+-w|chipsec_util.spi.write).*"), 1, 0)
| eval driver_hit = if(matches(toLowerCase(image_loaded), ".*(\\\\rw\.sys|\\\\rwdrv\.sys|\\\\winio\.sys|\\\\winio32\.sys|\\\\winio64\.sys|\\\\physmem\.sys|\\\\pmem\.sys|\\\\dbutil_2_3\.sys|\\\\rtcore64\.sys)$"), 1, 0)
| eval uefi_hit = if(matches(toLowerCase(process_image), ".*(powershell|pwsh)\.exe$") and matches(toLowerCase(command_line), ".*(set-securebootuefi|set-uefivariable|bcdedit.*/set|bcdedit.*/delete).*"), 1, 0)
| eval risk_score = tool_hit + write_hit + (driver_hit * 2) + uefi_hit
| where risk_score > 0
| eval signal = if(driver_hit == 1, "SuspiciousFirmwareDriver",
    if(write_hit == 1 and tool_hit == 1, "FirmwareToolWithWriteOp",
    if(tool_hit == 1, "KnownFirmwareTool",
    if(uefi_hit == 1, "UEFIOrBCDTamper",
    if(write_hit == 1, "FirmwareWritePattern", "UnknownFirmwareSignal")))))
| fields _messagetime, hostname, username, process_image, command_line, parent_image, image_loaded, event_id, signal, risk_score
| sort by risk_score desc, _messagetime desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Vendor-provided BIOS update packages from Dell Command Update, HP System Software Manager, or Lenovo System Update that silently invoke fpt.exe or h2offt.exe with write flags during automated firmware updates
Hardware security assessment tools such as Chipsec used legitimately by the platform security or firmware engineering team to audit UEFI configuration on test systems
Enterprise IT automation scripts using bcdedit to configure BitLocker protectors, enable/disable test signing, or modify boot sequence during provisioning

Google Chronicle / SecOps

yaral

rule t1495_firmware_corruption {
  meta:
    author = "Detection Engineering"
    description = "Detects T1495 Firmware Corruption via known firmware tools, write/erase operations, suspicious driver loads, and UEFI/BCD tampering"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1495"
    severity = "CRITICAL"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.principal.process.file.full_path, `(?i)\\(rw\.exe|rw64\.exe|rweverything\.exe|chipsec\.exe|chipsec_main\.exe|flashrom\.exe|fpt\.exe|fptw\.exe|fptw64\.exe|afuwin\.exe|afuwin64\.exe|afudos\.exe|meinfo\.exe|meinfowin\.exe|meinfowin64\.exe|amidewin\.exe|amidewin64\.exe|h2offt\.exe|h2offt-w\.exe|winphlash\.exe|winphlash64\.exe|ubuild\.exe|ubu\.exe)$`)
        or re.regex($e.target.process.command_line, `(?i)(--write|--erase|--flash|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|WRITESPI|flashrom\s+-w|chipsec_util.spi.write)`)
        or (
          re.regex($e.principal.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(Set-SecureBootUEFI|Set-UEFIVariable|bcdedit.*/set|bcdedit.*/delete|bcdedit.*/deletevalue)`)
        )
      )
    )
    or
    (
      $e.metadata.event_type = "DRIVER_LOAD"
      and re.regex($e.target.file.full_path, `(?i)\\(rw\.sys|rwdrv\.sys|winio\.sys|winio32\.sys|winio64\.sys|physmem\.sys|pmem\.sys|dbutil_2_3\.sys|rtcore64\.sys)$`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM via Google Security Operations SIEM Elastic Forwarder to Chronicle Windows Sysmon via Chronicle Ingestion

Required Tables

UDM events with metadata.event_type PROCESS_LAUNCH and DRIVER_LOAD

False Positives

Legitimate OEM firmware update utilities bundled with endpoint management platforms that match firmware tool names but execute from trusted vendor paths under authorized service accounts
Penetration testing or red team engagements using Chipsec or RWEverything on isolated lab systems — correlate with change management records and authorized testing schedules
Windows Subsystem for Linux or virtualization software that loads memory access drivers (physmem.sys, pmem.sys) for legitimate hardware abstraction purposes

CrowdStrike LogScale (CQL)

cql

// T1495 - Firmware Corruption Detection
// Signal 1: Known firmware tool execution
#event_simpleName = ProcessRollup2
| FileName = /(?i)(rw\.exe|rw64\.exe|rweverything\.exe|chipsec\.exe|chipsec_main\.exe|flashrom\.exe|fpt\.exe|fptw\.exe|fptw64\.exe|afuwin\.exe|afuwin64\.exe|afudos\.exe|meinfo\.exe|meinfowin\.exe|meinfowin64\.exe|amidewin\.exe|amidewin64\.exe|h2offt\.exe|h2offt-w\.exe|winphlash\.exe|winphlash64\.exe|ubuild\.exe|ubu\.exe)$/
| eval Signal = "KnownFirmwareTool"
| eval RiskScore = 3

// Signal 2: Firmware write/erase command-line patterns
| union [
    #event_simpleName = ProcessRollup2
    | CommandLine = /(?i)(--write|--erase|--flash|spi[._]write|bios[. ]write|uefi[. ]write|flash[. ]write|nvram[. ]write|WRITESPI|\/WRITESPI|flashrom\s+-w|chipsec_util.spi.write)/
    | eval Signal = "FirmwareWriteOperation"
    | eval RiskScore = 3
  ]

// Signal 3: PowerShell UEFI or BCD tampering
| union [
    #event_simpleName = ProcessRollup2
    | FileName = /(?i)(powershell|pwsh)\.exe$/
    | CommandLine = /(?i)(Set-SecureBootUEFI|Set-UEFIVariable|bcdedit.*\/set|bcdedit.*\/delete|bcdedit.*\/deletevalue)/
    | eval Signal = "UEFIOrBCDTamper"
    | eval RiskScore = 4
  ]

// Signal 4: Suspicious firmware kernel driver load
| union [
    #event_simpleName = DriverLoad
    | ImageFileName = /(?i)(rw\.sys|rwdrv\.sys|winio\.sys|winio32\.sys|winio64\.sys|physmem\.sys|pmem\.sys|dbutil_2_3\.sys|rtcore64\.sys)$/
    | eval Signal = "SuspiciousFirmwareDriver"
    | eval RiskScore = 5
  ]

| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal], function=[
    max(RiskScore, as=MaxRiskScore),
    count(as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe)/, "true", "false")
| sort(MaxRiskScore, order=desc)
| select([LastSeen, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal, MaxRiskScore, EventCount, SuspiciousParent])

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon LogScale / Next-Gen SIEM Falcon sensor process and driver telemetry

Required Tables

ProcessRollup2 (Falcon process events) DriverLoad (Falcon driver load events)

False Positives

CrowdStrike Falcon sensor updates or third-party EDR products that load kernel drivers (physmem.sys, pmem.sys) for legitimate memory access or hardware enumeration during initialization
IT asset management or hardware inventory tools that invoke RWEverything or fpt.exe in read-only mode for BIOS version discovery during automated hardware audits
Vendor-certified BIOS update workflows triggered via SCCM or Intune that spawn h2offt.exe or afuwin64.exe with flash write arguments from trusted parent processes under approved service accounts

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1495 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Firmware Corruption

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections