T1542

Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.

Microsoft Sentinel / Defender

kusto

let FirmwareToolNames = dynamic([
    "RWEverything.exe", "RWE.exe", "Rw.exe",
    "chipsec_main.exe", "chipsec.exe",
    "flashrom.exe",
    "afuwin64.exe", "afuwin32.exe", "afudos.exe",
    "WinFlash.exe", "biosflash.exe",
    "FPT.exe", "FPTW64.exe", "FPTW.exe",
    "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
    "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
    "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
]);
let FirmwareKeywords = dynamic([
    "chipsec", "flashrom", "rweverything",
    "afuwin", "afudos", "biosflash", "winflash",
    "H2OUVE", "AMIBCP", "uefi-firmware",
    "fptw64", "MEManuf", "biosupdate", "uefiflash"
]);
let BootloaderFiles = dynamic([
    "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
    "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
]);
let LegitBootParents = dynamic([
    "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
    "msiexec.exe", "wuauclt.exe", "sysprep.exe", "cleanmgr.exe",
    "fwupd", "fwupdmgr", "bootupd"
]);
// Sub-query 1: Known firmware manipulation tool execution
let FirmwareToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
    or ProcessCommandLine has_any (FirmwareKeywords)
| extend DetectionType = "FirmwareToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 2: Raw disk handle access (potential MBR/VBR read or write)
let RawDiskAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "\\\\.\\PhysicalDrive"
    or ProcessCommandLine has "\\\\.\\PHYSICALDRIVE"
    or ProcessCommandLine has "\\\\.\\Harddisk"
    or ProcessCommandLine has "\\Device\\Harddisk"
| where FileName !in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe",
                        "vssadmin.exe", "wbadmin.exe", "ntbackup.exe",
                        "StorageD.exe", "StorageUsage.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "wininit.exe", "smss.exe")
| extend DetectionType = "RawDiskAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 3: Boot configuration modification via bcdedit/bootrec/bcdboot
let BootConfigMod = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("/set", "/create", "/delete", "/import", "/store", "/deletevalue"))
    or (FileName =~ "bootrec.exe" and ProcessCommandLine has_any ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos"))
    or (FileName =~ "bcdboot.exe" and ProcessCommandLine !has "/help")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("svchost.exe", "wininit.exe")
| extend DetectionType = "BootConfigModification"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 4: Write or modification of critical boot/EFI files
let BootFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has "\\EFI\\"
    or FolderPath has "\\Boot\\"
    or FileName in~ (BootloaderFiles)
    or (FolderPath has "\\System32\\boot\\" and FileName endswith ".efi")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("wininit.exe", "svchost.exe", "System")
| extend DetectionType = "BootFileWrite"
| extend AccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all sub-detections
union FirmwareToolExec, RawDiskAccess, BootConfigMod, BootFileWrite
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation File: File Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

OEM firmware update utilities shipped with laptops (Dell Command Update, HP BIOS Update, Lenovo System Update) that run scheduled BIOS/UEFI updates — typically launched by svchost.exe or a vendor service parent
Dual-boot system configuration tools that modify BCD entries (EasyBCD, rEFInd installer, Ubuntu grub-install during OS installation)
Enterprise endpoint management during OS deployment — DISM, setup.exe, and MDT/SCCM task sequences legitimately write to EFI and Boot paths
Security researchers and IT administrators running CHIPSEC or RWEverything for hardware auditing or vulnerability assessment with explicit authorization
Backup software (Acronis True Image, Macrium Reflect) that access raw disk handles for sector-level backup of the MBR and system partition

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| where EventCode IN (1, 11)
| eval proc_lower=lower(coalesce(Image, ""))
| eval cmd_lower=lower(coalesce(CommandLine, ""))
| eval parent_lower=lower(coalesce(ParentImage, ""))
| eval target_lower=lower(coalesce(TargetFilename, ""))
| eval FirmwareTool=if(EventCode=1 AND (
    match(proc_lower, "(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)") OR
    match(cmd_lower, "(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)")
), 1, 0)
| eval RawDiskAccess=if(EventCode=1 AND
    (match(cmd_lower, "physicaldrive") OR match(cmd_lower, "\\.\\harddisk") OR match(cmd_lower, "\\device\\harddisk")) AND
    NOT match(proc_lower, "(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)") AND
    NOT match(parent_lower, "(services\.exe|wininit\.exe|smss\.exe)"), 1, 0)
| eval BootConfigMod=if(EventCode=1 AND (
    (match(proc_lower, "bcdedit\.exe") AND match(cmd_lower, "(/set|/create|/delete|/import|/store|/deletevalue)")) OR
    (match(proc_lower, "bootrec\.exe") AND match(cmd_lower, "(/fixmbr|/fixboot|/rebuildbcd|/scanos)")) OR
    (match(proc_lower, "bcdboot\.exe") AND NOT match(cmd_lower, "/help"))
) AND NOT match(parent_lower, "(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)"), 1, 0)
| eval BootFileWrite=if(EventCode=11 AND
    (match(target_lower, "(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr$|ntldr)")) AND
    NOT match(proc_lower, "(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)"), 1, 0)
| eval SuspicionScore=FirmwareTool + RawDiskAccess + BootConfigMod + BootFileWrite
| where SuspicionScore > 0
| eval DetectionTypes=mvappend(
    if(FirmwareTool=1, "FirmwareToolExecution", null()),
    if(RawDiskAccess=1, "RawDiskAccess", null()),
    if(BootConfigMod=1, "BootConfigModification", null()),
    if(BootFileWrite=1, "BootFileWrite", null())
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, DetectionTypes, SuspicionScore
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

OEM firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) running scheduled BIOS updates — suppress by allowlisting known vendor EXE paths with system service parents
Dual-boot configuration tools modifying BCD entries during initial OS setup or bootloader repair on developer workstations
Enterprise OS deployment via SCCM, MDT, or WDS that writes bootloader files to EFI and Boot partitions — typically occurs only during provisioning windows
Disk imaging and backup software (Acronis, Macrium, Veeam Agent) accessing raw disk handles for sector-level backups — allowlist by backup service account and process hash
Security auditing tools run by authorized red team or vulnerability assessment teams — coordinate with security team to whitelist scheduled scan windows

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    /* Firmware tool execution */
    (
      event.category == "process" and event.type == "start" and
      (
        process.name in~ (
          "RWEverything.exe", "RWE.exe", "Rw.exe",
          "chipsec_main.exe", "chipsec.exe",
          "flashrom.exe",
          "afuwin64.exe", "afuwin32.exe", "afudos.exe",
          "WinFlash.exe", "biosflash.exe",
          "FPT.exe", "FPTW64.exe", "FPTW.exe",
          "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
          "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
          "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
        ) or
        process.args : ("*chipsec*", "*flashrom*", "*rweverything*", "*afuwin*", "*biosupdate*", "*uefiflash*", "*H2OUVE*", "*AMIBCP*")
      )
    ) or
    /* Raw disk handle access */
    (
      event.category == "process" and event.type == "start" and
      process.args : ("*\\\\.\\PhysicalDrive*", "*\\\\.\\PHYSICALDRIVE*", "*\\\\.\\Harddisk*", "*\\Device\\Harddisk*") and
      not process.name in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe", "vssadmin.exe", "wbadmin.exe", "ntbackup.exe") and
      not process.parent.name in~ ("services.exe", "wininit.exe", "smss.exe")
    ) or
    /* Boot configuration modification */
    (
      event.category == "process" and event.type == "start" and
      (
        (
          process.name =~ "bcdedit.exe" and
          process.args : ("/set", "/create", "/delete", "/import", "/store", "/deletevalue")
        ) or
        (
          process.name =~ "bootrec.exe" and
          process.args : ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos")
        ) or
        (
          process.name =~ "bcdboot.exe" and
          not process.args : "/help"
        )
      ) and
      not process.parent.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "svchost.exe", "wininit.exe"
      )
    ) or
    /* EFI/Boot file write */
    (
      event.category == "file" and
      event.type in ("creation", "change") and
      (
        file.path : ("*\\EFI\\*", "*\\Boot\\*") or
        file.name in~ (
          "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
          "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
        )
      ) and
      not process.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "fwupd", "fwupdmgr",
        "bootupd", "wininit.exe", "svchost.exe"
      )
    )
  )
] with runs=1

critical severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate BIOS/firmware updates from vendor-supplied tools such as Dell Command Update, HP Support Assistant, or Lenovo System Update — these typically run from %ProgramFiles% or vendor-specific paths and are initiated by the vendor update service
Windows Update or DISM operations modifying bootloader files during OS upgrades or in-place repairs — process parent will be TrustedInstaller.exe or WUAgent
Linux dual-boot systems running GRUB updates via package manager (grub-install, update-grub) which may trigger EFI directory file events
Security researchers or red team operators running authorized firmware assessment tools such as CHIPSEC in a controlled environment
bcdedit.exe invocations by enterprise imaging solutions (Symantec Ghost, Acronis, MDT) during OS deployment to configure boot entries

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  "sourceip",
  "devicehostname" AS hostname,
  "Command" AS process_command,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "File Path" AS file_path,
  CASE
    WHEN LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%' THEN 'FirmwareToolExecution'
    WHEN (LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%') THEN 'RawDiskAccess'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdedit\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bootrec\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/fixmbr|/fixboot|/rebuildbcd|/scanos)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdboot\.exe%'
          AND LOWER("Command") NOT SIMILAR TO '%/help%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN ("File Path" IS NOT NULL
          AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%') THEN 'BootFileWrite'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    /* Firmware tool execution */
    LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%'
    OR LOWER("Command") SIMILAR TO '%(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)%'
    /* Raw disk access */
    OR (
      LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%'
    )
    /* Boot config modification */
    OR (
      LOWER("Process Name") SIMILAR TO '%(bcdedit\.exe|bootrec\.exe|bcdboot\.exe)%'
      AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue|/fixmbr|/fixboot|/rebuildbcd|/scanos)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%'
    )
    /* Boot file writes via Sysmon event 11 */
    OR (
      "File Path" IS NOT NULL
      AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%'
    )
  )
ORDER BY starttime DESC

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Forwarding QRadar DSM for Windows

Required Tables

events

False Positives

Authorized firmware update utilities deployed by IT teams through SCCM or Intune — these will show parent processes like svchost.exe or msiexec.exe and originate from trusted software distribution paths
Windows OS in-place upgrade or repair operations that legitimately rewrite bootloader components — event context will show TrustedInstaller or setuphost.exe as initiating process
Penetration test or red team exercises using CHIPSEC or RWEverything under authorized change control — correlate with approved change window tickets

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<User>*</User>" as event_user nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize to lowercase for matching
| toLowerCase(process_image) as proc_lower
| toLowerCase(command_line) as cmd_lower
| toLowerCase(parent_image) as parent_lower
| toLowerCase(target_filename) as target_lower
// Detection branch 1: Firmware tool execution
| if (event_id = "1" AND (
    matches(proc_lower, ".*(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate).*") OR
    matches(cmd_lower, ".*(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64).*")
  ), 1, 0) as firmware_tool_exec
// Detection branch 2: Raw disk handle access
| if (event_id = "1" AND
    (matches(cmd_lower, ".*(\\\\.\\\\physicaldrive|\\\\.\\\\harddisk|\\\\device\\\\harddisk).*")) AND
    !matches(proc_lower, ".*(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup).*") AND
    !matches(parent_lower, ".*(services\.exe|wininit\.exe|smss\.exe).*")
  , 1, 0) as raw_disk_access
// Detection branch 3: Boot config modification
| if (event_id = "1" AND (
    (matches(proc_lower, ".*bcdedit\.exe.*") AND matches(cmd_lower, ".*/set|/create|/delete|/import|/store|/deletevalue.*")) OR
    (matches(proc_lower, ".*bootrec\.exe.*") AND matches(cmd_lower, ".*/fixmbr|/fixboot|/rebuildbcd|/scanos.*")) OR
    (matches(proc_lower, ".*bcdboot\.exe.*") AND !matches(cmd_lower, ".*/help.*"))
  ) AND !matches(parent_lower, ".*(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe).*")
  , 1, 0) as boot_config_mod
// Detection branch 4: EFI/Boot file write
| if (event_id = "11" AND
    (matches(target_lower, ".*(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr|ntldr).*")) AND
    !matches(proc_lower, ".*(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe).*")
  , 1, 0) as boot_file_write
// Compute suspicion score
| num(firmware_tool_exec) + num(raw_disk_access) + num(boot_config_mod) + num(boot_file_write) as suspicion_score
| where suspicion_score > 0
// Build detection type list
| if(firmware_tool_exec=1, "FirmwareToolExecution", "") as d1
| if(raw_disk_access=1, "RawDiskAccess", "") as d2
| if(boot_config_mod=1, "BootConfigModification", "") as d3
| if(boot_file_write=1, "BootFileWrite", "") as d4
| concat(d1, if(d1!="" AND (d2!="" OR d3!="" OR d4!=""), ",", ""), d2, if(d2!="" AND (d3!="" OR d4!=""), ",", ""), d3, if(d3!="" AND d4!="", ",", ""), d4) as detection_types
| fields hostname, event_user, proc_lower, cmd_lower, parent_lower, target_lower, detection_types, suspicion_score
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Log Sumo Logic Installed Collector with Windows source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Vendor firmware update tools executed via enterprise management software (SCCM, Intune, Tanium) — these will appear with parent processes such as CcmExec.exe or msiexec.exe originating from managed software distribution paths
bcdedit.exe invocations during Windows Autopilot or MDT deployment sequences where the parent is setuphost.exe or a deployment framework agent
Dual-boot Linux systems running update-grub or grub-install during kernel updates, which generates EFI directory file writes under legitimate package manager parent processes

Google Chronicle / SecOps

yaral

rule pre_os_boot_persistence_t1542 {
  meta:
    author = "df00tech"
    description = "Detects Pre-OS Boot persistence attempts (MITRE T1542) including firmware tool execution, raw disk handle access, boot configuration modification, and EFI/bootloader file writes"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1542"
    mitre_attack_subtechniques = "T1542.001, T1542.002, T1542.003"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-20"
    platforms = "Windows"

  events:
    // Branch 1: Known firmware manipulation tool execution
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.file.full_path, `(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)`)
        or re.regex($e1.target.process.command_line, `(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)`)
      )
    )
    or
    // Branch 2: Raw disk handle access (MBR/VBR access)
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.command_line, `(?i)(physicaldrive|\\.\\harddisk|\\device\\harddisk)`)
      and not re.regex($e1.target.process.file.full_path, `(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe`)
      and not re.regex($e1.principal.process.file.full_path, `(?i)(services|wininit|smss)\.exe`)
    )
    or
    // Branch 3: Boot configuration modification
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          re.regex($e1.target.process.file.full_path, `(?i)bcdedit\.exe`)
          and re.regex($e1.target.process.command_line, `(?i)(/set|/create|/delete|/import|/store|/deletevalue)`)
          and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
        )
        or (
          re.regex($e1.target.process.file.full_path, `(?i)bootrec\.exe`)
          and re.regex($e1.target.process.command_line, `(?i)(/fixmbr|/fixboot|/rebuildbcd|/scanos)`)
        )
        or (
          re.regex($e1.target.process.file.full_path, `(?i)bcdboot\.exe`)
          and not re.regex($e1.target.process.command_line, `(?i)/help`)
          and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
        )
      )
    )
    or
    // Branch 4: EFI or bootloader file creation/modification
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr$|ntldr$)`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|fwupdmgr|bootupd|wininit|svchost)\.exe`)
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder Sysmon forwarded to Chronicle

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Legitimate UEFI firmware updates deployed through OEM tools (Dell BIOSConnect, HP BIOS Flash, Lenovo Thin Installer) where the initiating process is a vendor-signed updater or Windows Update agent
Windows Servicing operations during major OS updates (feature upgrades, cumulative updates with bootloader revisions) initiated by TrustedInstaller.exe or WaasMedicAgent.exe
Enterprise imaging workflows using Microsoft Deployment Toolkit (MDT) or WDS where bcdedit and bcdboot are invoked by deployment framework parent processes during OS provisioning

CrowdStrike LogScale (CQL)

cql

// Pre-OS Boot Persistence Detection (T1542)
// Branch 1: Firmware tool execution
#event_simpleName=ProcessRollup2
| FileName = /(?i)(rweverything|rwe\.exe|rw\.exe|chipsec_main|chipsec\.exe|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve-w-pexe64|h2offt-w|h2ouve\.exe|amibcp|amidewin64|amidewin\.exe|fwupdatelocalapp|firmwareupdate)/
  OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|biosflash|winflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64|memanuf)/
| DetectionType := "FirmwareToolExecution"

// Branch 2: Raw disk handle access
| case {
    #event_simpleName=ProcessRollup2
    AND CommandLine = /(?i)(physicaldrive|\\.\\.\\harddisk|\\device\\harddisk)/
    AND NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
    AND NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
    | DetectionType := "RawDiskAccess" ;
    * | DetectionType := DetectionType
  }

// Use a union approach — run both patterns
(
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)/
    OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)/
  | DetectionType := "FirmwareToolExecution"
)

OR (
  #event_simpleName=ProcessRollup2
  | CommandLine = /(?i)(physicaldrive|\.\\harddisk|\\device\\harddisk)/
  | NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
  | NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
  | DetectionType := "RawDiskAccess"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bcdedit\.exe/
  | CommandLine = /(?i)(\/set|\/create|\/delete|\/import|\/store|\/deletevalue)/
  | NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
  | DetectionType := "BootConfigModification_bcdedit"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bootrec\.exe/
  | CommandLine = /(?i)(\/fixmbr|\/fixboot|\/rebuildbcd|\/scanos)/
  | DetectionType := "BootConfigModification_bootrec"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bcdboot\.exe/
  | NOT CommandLine = /(?i)\/help/
  | NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
  | DetectionType := "BootConfigModification_bcdboot"
)

OR (
  #event_simpleName=FileActionDone
  | FilePath = /(?i)(\\efi\\|\\boot\\bcd)/
    OR FileName = /(?i)(bootmgfw\.efi|bootx64\.efi|grubx64\.efi|shimx64\.efi|winload\.efi|bootmgr$|ntldr$)/
  | NOT ImageFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|bootupd|wininit|svchost)\.exe/
  | DetectionType := "BootFileWrite"
)

| groupBy([ComputerName, FileName, CommandLine, ParentBaseFileName, DetectionType], function=[
    count(aid, as=EventCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    collect(UserName, as=Users)
  ])
| sort(LastSeen, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor ProcessRollup2 events Falcon sensor FileActionDone events

Required Tables

ProcessRollup2 FileActionDone

False Positives

OEM firmware update utilities executed by the Falcon-monitored endpoint during a sanctioned patching window — correlate ComputerName against change management records and verify the initiating process is a vendor-signed binary from a trusted install path
Microsoft Windows OS upgrade operations (in-place upgrade, feature update) that write to EFI/Boot paths — ParentBaseFileName will be TrustedInstaller.exe or setuphost.exe and the process chain will include Windows Update components
System administrators using bcdedit.exe interactively during troubleshooting of boot failures — cross-reference with IT ticketing system and validate UserName is a privileged admin account in an approved maintenance window

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Pre-OS Boot

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Defense Evasion

Popular Detections