Detect Firmware Corruption in Microsoft Sentinel
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. Real-world examples include TrickBot's 'Trickboot' module (2020), which can write or erase UEFI/BIOS firmware of a compromised device, and Bad Rabbit ransomware, which installed a modified bootloader to prevent normal boot-up. Firmware corruption often results in permanent hardware denial-of-availability and may be combined with data destruction for maximum impact.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1495 Firmware Corruption
- Canonical reference
- https://attack.mitre.org/techniques/T1495/
KQL Detection Query
let FirmwareToolNames = dynamic([
"rw.exe", "rw64.exe", "rweverything.exe",
"chipsec.exe", "chipsec_main.exe",
"flashrom.exe",
"fpt.exe", "fptw.exe", "fptw64.exe",
"afuwin.exe", "afuwin64.exe", "afudos.exe",
"meinfo.exe", "meinfowin.exe", "meinfowin64.exe",
"amidewin.exe", "amidewin64.exe",
"h2offt.exe", "h2offt-w.exe",
"winphlash.exe", "winphlash64.exe",
"ubuild.exe", "ubu.exe"
]);
let FirmwareWritePatterns = dynamic([
"--write", "--erase", "--flash",
"spi write", "spi.write", "spi_write",
"bios write", "uefi write", "flash write",
"nvram write", "WRITESPI", "/WRITESPI",
"chipsec_util spi write",
"flashrom -w", "flashrom --write"
]);
let SuspiciousParents = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe",
"wscript.exe", "cscript.exe", "mshta.exe",
"explorer.exe"
]);
// Signal 1: Execution of known firmware manipulation tools
let FirmwareToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
| extend Signal = "KnownFirmwareTool"
| extend RiskDetail = strcat("Firmware tool executed: ", FileName);
// Signal 2: Command-line patterns indicating firmware write or erase operations
let FirmwareWriteCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (FirmwareWritePatterns)
| extend Signal = "FirmwareWriteOperation"
| extend RiskDetail = strcat("Write/erase flag in command: ", ProcessCommandLine);
// Signal 3: PowerShell-based UEFI variable modification or BCD tampering
let UEFITamper = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"Set-SecureBootUEFI", "Set-UEFIVariable",
"bcdedit /set", "bcdedit /delete", "bcdedit /deletevalue"
)
| extend Signal = "UEFIOrBCDTamper"
| extend RiskDetail = "PowerShell UEFI variable or BCD modification";
// Combine all signals and enrich with context
union FirmwareToolExec, FirmwareWriteCmd, UEFITamper
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsSystemAccount = AccountName =~ "SYSTEM"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
Signal, RiskDetail, SuspiciousParent, IsSystemAccount
| sort by Timestamp descDetects execution of known firmware manipulation tools and command-line patterns indicating BIOS/UEFI firmware write or erase operations. Three signals are combined: (1) process creation of named firmware tools including RW-Everything, CHIPSEC, flashrom, and vendor utilities (Intel FPT, AMI AfuWin, Insyde H2OFFT, WinPhlash); (2) command-line arguments containing firmware write or erase operations against SPI/BIOS/UEFI/NVRAM targets; (3) PowerShell-based UEFI variable modification (Set-SecureBootUEFI, Set-UEFIVariable) or Boot Configuration Data tampering via bcdedit. Results include parent process and account context to help analysts distinguish legitimate vendor updates from malicious activity.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate firmware updates performed by IT or hardware teams using vendor tools (Dell Command Update, HP BIOSConfigUtility, Lenovo Vantage, Intel ME FW Recovery Tool) during approved maintenance windows
- Security research or firmware auditing environments where CHIPSEC or RW-Everything are deployed for authorized vulnerability assessment or UEFI security analysis
- OEM factory imaging or provisioning systems that perform BIOS flashing as part of hardware configuration pipelines, typically under a service account from a management process
- Automated asset management tools that invoke bcdedit to configure boot options during operating system deployment or repair workflows (e.g., WDS, MDT, SCCM OSD)
Other platforms for T1495
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CHIPSEC UEFI Variable Enumeration — Read-Only Firmware Reconnaissance
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'chipsec_util.py uefi var-list'. Sysmon Event ID 6: Driver load for chipsec.sys (or chipsec_hlpr.sys) from a temp or install directory. Security Event ID 7045: New service installed for the CHIPSEC kernel driver. Windows may prompt for UAC on driver installation.
- Test 2RW-Everything Hardware Access Tool Execution with Ring-0 Driver Load
Expected signal: Sysmon Event ID 1: Process Create with Image=Rw.exe and CommandLine containing '/Command="PCI 0 0 0 0 10"'. Sysmon Event ID 6: Driver load for rw.sys from tool directory or System32\drivers\. Security Event ID 7045: New service named 'RW' registered pointing to rw.sys. Service exits after tool completes but driver load telemetry persists.
- Test 3PowerShell BCD Store Modification — Bad Rabbit Bootloader Tamper Simulation
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bcdedit /set' and ExecutionPolicy Bypass. Two additional Sysmon EventCode=1 events for bcdedit.exe child processes. Security Event ID 4688 (if command-line auditing enabled) for both bcdedit invocations. PowerShell ScriptBlock Log Event ID 4104 capturing the full command.
- Test 4Linux flashrom SPI Flash Probe — Non-Destructive Hardware Reconnaissance
Expected signal: Linux auditd EXECVE record with a=flashrom, argv containing '-p', 'internal', '--no-action', '-V'. Syslog entry capturing sudo invocation and flashrom execution. On systems with Sysmon for Linux (EventID 1): Process Create event for flashrom. /var/log/auth.log entry recording sudo authentication for the flashrom command.
- Test 5Intel Flash Programming Tool (FPT) Flash Descriptor Read
Expected signal: Sysmon Event ID 1: Process Create with Image=fptw64.exe, CommandLine containing '-DESC -d'. Sysmon Event ID 11: File Create event for df00tech_flashdesc.bin in %TEMP%. Security Event ID 7045 may appear if FPT installs a kernel service for hardware access. The .bin file size will reflect the flash descriptor region size (typically 4KB).
References (8)
- https://attack.mitre.org/techniques/T1495/
- https://securelist.com/bad-rabbit-ransomware/82851/
- https://eclypsium.com/research/trickbot-now-offers-trickboot-persist-brick-profit/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
- https://cyber.dhs.gov/assets/report/ar-16-20173.pdf
- https://chipsec.github.io/
- https://www.flashrom.org/
- https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99
Unlock Pro Content
Get the full detection package for T1495 including response playbook, investigation guide, and atomic red team tests.