T1495 Splunk · SPL

Detect Firmware Corruption in Splunk

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. Real-world examples include TrickBot's 'Trickboot' module (2020), which can write or erase UEFI/BIOS firmware of a compromised device, and Bad Rabbit ransomware, which installed a modified bootloader to prevent normal boot-up. Firmware corruption often results in permanent hardware denial-of-availability and may be combined with data destruction for maximum impact.

MITRE ATT&CK

Tactic
Impact
Technique
T1495 Firmware Corruption
Canonical reference
https://attack.mitre.org/techniques/T1495/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval ToolHit=if(
    EventCode=1 AND match(Image, "(?i)(\\\\rw\.exe$|\\\\rw64\.exe$|\\\\rweverything\.exe$|\\\\chipsec\.exe$|\\\\chipsec_main\.exe$|\\\\flashrom\.exe$|\\\\fpt\.exe$|\\\\fptw\.exe$|\\\\fptw64\.exe$|\\\\afuwin\.exe$|\\\\afuwin64\.exe$|\\\\afudos\.exe$|\\\\meinfo\.exe$|\\\\amidewin\.exe$|\\\\h2offt\.exe$|\\\\winphlash\.exe$|\\\\winphlash64\.exe$)"),
    1, 0
  )
| eval WritePatternHit=if(
    EventCode=1 AND match(CommandLine, "(?i)(--write|--erase|--flash|-W\s|-E\s|spi[._]write|bios.write|uefi.write|flash.write|nvram.write|WRITESPI|flashrom\s+-w\b|chipsec_util.spi.write)"),
    1, 0
  )
| eval DriverLoadHit=if(
    EventCode=6 AND match(ImageLoaded, "(?i)(\\\\rw\.sys$|\\\\rwdrv\.sys$|\\\\winio\.sys$|\\\\winio32\.sys$|\\\\winio64\.sys$|\\\\physmem\.sys$|\\\\pmem\.sys$|\\\\dbutil_2_3\.sys$|\\\\rtcore64\.sys$)"),
    1, 0
  )
| eval UEFITamper=if(
    EventCode=1 AND (match(Image, "(?i)\\\\(powershell|pwsh)\.exe$")) AND match(CommandLine, "(?i)(Set-SecureBootUEFI|Set-UEFIVariable|bcdedit.*/set|bcdedit.*/delete)"),
    1, 0
  )
| eval RiskScore=ToolHit + WritePatternHit + (DriverLoadHit * 2) + UEFITamper
| where RiskScore > 0
| eval Signal=case(
    DriverLoadHit=1, "SuspiciousFirmwareDriver",
    WritePatternHit=1 AND ToolHit=1, "FirmwareToolWithWriteOp",
    ToolHit=1, "KnownFirmwareTool",
    UEFITamper=1, "UEFIOrBCDTamper",
    WritePatternHit=1, "FirmwareWritePattern",
    true(), "UnknownFirmwareSignal"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ImageLoaded, EventCode, Signal, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects firmware corruption activity using Sysmon events across four detection signals: (1) EventCode=1 process creation matching known firmware tool binary names (RW-Everything, CHIPSEC, flashrom, Intel FPT, AMI AfuWin, Insyde H2OFFT); (2) EventCode=1 command-line patterns containing firmware write or erase flags; (3) EventCode=6 driver loads for ring-0 hardware access drivers commonly abused in firmware attacks (rw.sys, winio.sys, physmem.sys, rtcore64.sys); (4) EventCode=1 PowerShell UEFI variable or BCD modification commands. A cumulative risk score is computed with driver loads weighted double due to their elevated severity. EventCode=6 driver load detection requires Sysmon DriverLoad logging to be enabled in the deployment configuration.

Data Sources

Process: Process CreationDriver: Driver LoadCommand: Command ExecutionSysmon Event ID 1Sysmon Event ID 6

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate firmware updates performed by IT or hardware teams using vendor tools during approved maintenance windows — parent process will typically be a vendor update service or SCCM agent
  • Security research or firmware auditing environments where CHIPSEC or RW-Everything are used for authorized UEFI security assessments
  • OEM hardware provisioning pipelines that perform BIOS flashing as part of device imaging, loading expected vendor-signed drivers
  • Hardware security platforms (Eclypsium Enterprise, Binarly) that load ring-0 drivers for authorized firmware scanning and vulnerability assessment
Download portable Sigma rule (.yml)

Other platforms for T1495

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CHIPSEC UEFI Variable Enumeration — Read-Only Firmware Reconnaissance

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'chipsec_util.py uefi var-list'. Sysmon Event ID 6: Driver load for chipsec.sys (or chipsec_hlpr.sys) from a temp or install directory. Security Event ID 7045: New service installed for the CHIPSEC kernel driver. Windows may prompt for UAC on driver installation.

  2. Test 2RW-Everything Hardware Access Tool Execution with Ring-0 Driver Load

    Expected signal: Sysmon Event ID 1: Process Create with Image=Rw.exe and CommandLine containing '/Command="PCI 0 0 0 0 10"'. Sysmon Event ID 6: Driver load for rw.sys from tool directory or System32\drivers\. Security Event ID 7045: New service named 'RW' registered pointing to rw.sys. Service exits after tool completes but driver load telemetry persists.

  3. Test 3PowerShell BCD Store Modification — Bad Rabbit Bootloader Tamper Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'bcdedit /set' and ExecutionPolicy Bypass. Two additional Sysmon EventCode=1 events for bcdedit.exe child processes. Security Event ID 4688 (if command-line auditing enabled) for both bcdedit invocations. PowerShell ScriptBlock Log Event ID 4104 capturing the full command.

  4. Test 4Linux flashrom SPI Flash Probe — Non-Destructive Hardware Reconnaissance

    Expected signal: Linux auditd EXECVE record with a=flashrom, argv containing '-p', 'internal', '--no-action', '-V'. Syslog entry capturing sudo invocation and flashrom execution. On systems with Sysmon for Linux (EventID 1): Process Create event for flashrom. /var/log/auth.log entry recording sudo authentication for the flashrom command.

  5. Test 5Intel Flash Programming Tool (FPT) Flash Descriptor Read

    Expected signal: Sysmon Event ID 1: Process Create with Image=fptw64.exe, CommandLine containing '-DESC -d'. Sysmon Event ID 11: File Create event for df00tech_flashdesc.bin in %TEMP%. Security Event ID 7045 may appear if FPT installs a kernel service for hardware access. The .bin file size will reflect the flash descriptor region size (typically 4KB).

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1495 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1485Data DestructionT1561.002Disk Structure WipeT1542Pre-OS BootT1542.001System FirmwareT1542.003BootkitT1068Exploitation for Privilege EscalationT1082System Information DiscoveryT1490Inhibit System RecoveryT1014RootkitT1203Exploitation for Client Execution

Same Tactic: Impact

Popular Detections