Which SIEM platforms have a T1542 detection rule?

df00tech provides T1542 (Pre-OS Boot) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1542 detection?

The T1542 detection is rated critical severity with medium confidence.

What are common false positives for T1542?

Common false positives for T1542 include: OEM firmware update utilities shipped with laptops (Dell Command Update, HP BIOS Update, Lenovo System Update) that run scheduled BIOS/UEFI updates — typically launched by svchost.exe or a vendor service parent; Dual-boot system configuration tools that modify BCD entries (EasyBCD, rEFInd installer, Ubuntu grub-install during OS installation); Enterprise endpoint management during OS deployment — DISM, setup.exe, and MDT/SCCM task sequences legitimately write to EFI and Boot paths.

T1542

Pre-OS Boot

Q: What data sources are required to detect Pre-OS Boot (T1542)?

Detecting Pre-OS Boot requires the following data sources: Process: Process Creation, File: File Creation, File: File Modification, Command: Command Execution, Microsoft Defender for Endpoint.

Defense Evasion Persistence Last updated: April 20, 2026

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.

What is T1542 Pre-OS Boot?

Pre-OS Boot (T1542) maps to the Defense Evasion and Persistence tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Pre-OS Boot, covering the data sources and telemetry it touches: Process: Process Creation, File: File Creation, File: File Modification, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion Persistence
Technique: T1542 Pre-OS Boot
Canonical reference: https://attack.mitre.org/techniques/T1542/

Microsoft Sentinel / Defender

kusto

let FirmwareToolNames = dynamic([
    "RWEverything.exe", "RWE.exe", "Rw.exe",
    "chipsec_main.exe", "chipsec.exe",
    "flashrom.exe",
    "afuwin64.exe", "afuwin32.exe", "afudos.exe",
    "WinFlash.exe", "biosflash.exe",
    "FPT.exe", "FPTW64.exe", "FPTW.exe",
    "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
    "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
    "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
]);
let FirmwareKeywords = dynamic([
    "chipsec", "flashrom", "rweverything",
    "afuwin", "afudos", "biosflash", "winflash",
    "H2OUVE", "AMIBCP", "uefi-firmware",
    "fptw64", "MEManuf", "biosupdate", "uefiflash"
]);
let BootloaderFiles = dynamic([
    "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
    "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
]);
let LegitBootParents = dynamic([
    "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
    "msiexec.exe", "wuauclt.exe", "sysprep.exe", "cleanmgr.exe",
    "fwupd", "fwupdmgr", "bootupd"
]);
// Sub-query 1: Known firmware manipulation tool execution
let FirmwareToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
    or ProcessCommandLine has_any (FirmwareKeywords)
| extend DetectionType = "FirmwareToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 2: Raw disk handle access (potential MBR/VBR read or write)
let RawDiskAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "\\\\.\\PhysicalDrive"
    or ProcessCommandLine has "\\\\.\\PHYSICALDRIVE"
    or ProcessCommandLine has "\\\\.\\Harddisk"
    or ProcessCommandLine has "\\Device\\Harddisk"
| where FileName !in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe",
                        "vssadmin.exe", "wbadmin.exe", "ntbackup.exe",
                        "StorageD.exe", "StorageUsage.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "wininit.exe", "smss.exe")
| extend DetectionType = "RawDiskAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 3: Boot configuration modification via bcdedit/bootrec/bcdboot
let BootConfigMod = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("/set", "/create", "/delete", "/import", "/store", "/deletevalue"))
    or (FileName =~ "bootrec.exe" and ProcessCommandLine has_any ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos"))
    or (FileName =~ "bcdboot.exe" and ProcessCommandLine !has "/help")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("svchost.exe", "wininit.exe")
| extend DetectionType = "BootConfigModification"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 4: Write or modification of critical boot/EFI files
let BootFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has "\\EFI\\"
    or FolderPath has "\\Boot\\"
    or FileName in~ (BootloaderFiles)
    or (FolderPath has "\\System32\\boot\\" and FileName endswith ".efi")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("wininit.exe", "svchost.exe", "System")
| extend DetectionType = "BootFileWrite"
| extend AccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all sub-detections
union FirmwareToolExec, RawDiskAccess, BootConfigMod, BootFileWrite
| sort by Timestamp desc

Detects Pre-OS Boot persistence and defense evasion activity using Microsoft Defender for Endpoint tables. Combines four detection sub-queries: (1) execution of known firmware manipulation tools (CHIPSEC, RWEverything, flashrom, AMI BIOS tools, Intel FPT); (2) raw disk handle access to PhysicalDrive or Harddisk device paths by non-system processes, which could indicate MBR/VBR manipulation; (3) boot configuration modification via bcdedit, bootrec, or bcdboot by unexpected parent processes; and (4) file creation or modification in EFI partition or Boot directory paths including core bootloader binaries. All sub-queries filter known-legitimate update mechanisms such as Windows Update, DISM, and OEM firmware update services.

critical severity medium confidence

Data Sources

Process: Process Creation File: File Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

OEM firmware update utilities shipped with laptops (Dell Command Update, HP BIOS Update, Lenovo System Update) that run scheduled BIOS/UEFI updates — typically launched by svchost.exe or a vendor service parent
Dual-boot system configuration tools that modify BCD entries (EasyBCD, rEFInd installer, Ubuntu grub-install during OS installation)
Enterprise endpoint management during OS deployment — DISM, setup.exe, and MDT/SCCM task sequences legitimately write to EFI and Boot paths
Security researchers and IT administrators running CHIPSEC or RWEverything for hardware auditing or vulnerability assessment with explicit authorization
Backup software (Acronis True Image, Macrium Reflect) that access raw disk handles for sector-level backup of the MBR and system partition

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| where EventCode IN (1, 11)
| eval proc_lower=lower(coalesce(Image, ""))
| eval cmd_lower=lower(coalesce(CommandLine, ""))
| eval parent_lower=lower(coalesce(ParentImage, ""))
| eval target_lower=lower(coalesce(TargetFilename, ""))
| eval FirmwareTool=if(EventCode=1 AND (
    match(proc_lower, "(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)") OR
    match(cmd_lower, "(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)")
), 1, 0)
| eval RawDiskAccess=if(EventCode=1 AND
    (match(cmd_lower, "physicaldrive") OR match(cmd_lower, "\\.\\harddisk") OR match(cmd_lower, "\\device\\harddisk")) AND
    NOT match(proc_lower, "(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)") AND
    NOT match(parent_lower, "(services\.exe|wininit\.exe|smss\.exe)"), 1, 0)
| eval BootConfigMod=if(EventCode=1 AND (
    (match(proc_lower, "bcdedit\.exe") AND match(cmd_lower, "(/set|/create|/delete|/import|/store|/deletevalue)")) OR
    (match(proc_lower, "bootrec\.exe") AND match(cmd_lower, "(/fixmbr|/fixboot|/rebuildbcd|/scanos)")) OR
    (match(proc_lower, "bcdboot\.exe") AND NOT match(cmd_lower, "/help"))
) AND NOT match(parent_lower, "(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)"), 1, 0)
| eval BootFileWrite=if(EventCode=11 AND
    (match(target_lower, "(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr$|ntldr)")) AND
    NOT match(proc_lower, "(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)"), 1, 0)
| eval SuspicionScore=FirmwareTool + RawDiskAccess + BootConfigMod + BootFileWrite
| where SuspicionScore > 0
| eval DetectionTypes=mvappend(
    if(FirmwareTool=1, "FirmwareToolExecution", null()),
    if(RawDiskAccess=1, "RawDiskAccess", null()),
    if(BootConfigMod=1, "BootConfigModification", null()),
    if(BootFileWrite=1, "BootFileWrite", null())
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, DetectionTypes, SuspicionScore
| sort - _time

Detects Pre-OS Boot persistence activity using Sysmon Event ID 1 (Process Creation) and Event ID 11 (File Creation). Evaluates four detection categories with a cumulative suspicion score: FirmwareToolExecution (known BIOS/UEFI manipulation tools), RawDiskAccess (processes accessing PhysicalDrive device paths), BootConfigModification (bcdedit/bootrec/bcdboot run by unexpected parents), and BootFileWrite (creation or modification of EFI partition or bootloader binaries). Excludes known-legitimate update paths including OEM firmware services, Windows Update components, and OS deployment tools. The SuspicionScore field enables alert prioritization — a score of 2 or higher warrants immediate investigation.

critical severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

OEM firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) running scheduled BIOS updates — suppress by allowlisting known vendor EXE paths with system service parents
Dual-boot configuration tools modifying BCD entries during initial OS setup or bootloader repair on developer workstations
Enterprise OS deployment via SCCM, MDT, or WDS that writes bootloader files to EFI and Boot partitions — typically occurs only during provisioning windows
Disk imaging and backup software (Acronis, Macrium, Veeam Agent) accessing raw disk handles for sector-level backups — allowlist by backup service account and process hash
Security auditing tools run by authorized red team or vulnerability assessment teams — coordinate with security team to whitelist scheduled scan windows

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    /* Firmware tool execution */
    (
      event.category == "process" and event.type == "start" and
      (
        process.name in~ (
          "RWEverything.exe", "RWE.exe", "Rw.exe",
          "chipsec_main.exe", "chipsec.exe",
          "flashrom.exe",
          "afuwin64.exe", "afuwin32.exe", "afudos.exe",
          "WinFlash.exe", "biosflash.exe",
          "FPT.exe", "FPTW64.exe", "FPTW.exe",
          "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
          "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
          "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
        ) or
        process.args : ("*chipsec*", "*flashrom*", "*rweverything*", "*afuwin*", "*biosupdate*", "*uefiflash*", "*H2OUVE*", "*AMIBCP*")
      )
    ) or
    /* Raw disk handle access */
    (
      event.category == "process" and event.type == "start" and
      process.args : ("*\\\\.\\PhysicalDrive*", "*\\\\.\\PHYSICALDRIVE*", "*\\\\.\\Harddisk*", "*\\Device\\Harddisk*") and
      not process.name in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe", "vssadmin.exe", "wbadmin.exe", "ntbackup.exe") and
      not process.parent.name in~ ("services.exe", "wininit.exe", "smss.exe")
    ) or
    /* Boot configuration modification */
    (
      event.category == "process" and event.type == "start" and
      (
        (
          process.name =~ "bcdedit.exe" and
          process.args : ("/set", "/create", "/delete", "/import", "/store", "/deletevalue")
        ) or
        (
          process.name =~ "bootrec.exe" and
          process.args : ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos")
        ) or
        (
          process.name =~ "bcdboot.exe" and
          not process.args : "/help"
        )
      ) and
      not process.parent.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "svchost.exe", "wininit.exe"
      )
    ) or
    /* EFI/Boot file write */
    (
      event.category == "file" and
      event.type in ("creation", "change") and
      (
        file.path : ("*\\EFI\\*", "*\\Boot\\*") or
        file.name in~ (
          "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
          "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
        )
      ) and
      not process.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "fwupd", "fwupdmgr",
        "bootupd", "wininit.exe", "svchost.exe"
      )
    )
  )
] with runs=1

Detects Pre-OS Boot persistence attempts (MITRE T1542) including firmware tool execution, raw disk handle access for MBR/VBR manipulation, boot configuration modification via bcdedit/bootrec/bcdboot, and unauthorized writes to EFI or bootloader files. Covers firmware implants, bootkits, and UEFI persistence. Uses Elastic EQL with ECS fields against Endpoint logs.

critical severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate BIOS/firmware updates from vendor-supplied tools such as Dell Command Update, HP Support Assistant, or Lenovo System Update — these typically run from %ProgramFiles% or vendor-specific paths and are initiated by the vendor update service
Windows Update or DISM operations modifying bootloader files during OS upgrades or in-place repairs — process parent will be TrustedInstaller.exe or WUAgent
Linux dual-boot systems running GRUB updates via package manager (grub-install, update-grub) which may trigger EFI directory file events
Security researchers or red team operators running authorized firmware assessment tools such as CHIPSEC in a controlled environment
bcdedit.exe invocations by enterprise imaging solutions (Symantec Ghost, Acronis, MDT) during OS deployment to configure boot entries

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  "sourceip",
  "devicehostname" AS hostname,
  "Command" AS process_command,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "File Path" AS file_path,
  CASE
    WHEN LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%' THEN 'FirmwareToolExecution'
    WHEN (LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%') THEN 'RawDiskAccess'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdedit\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bootrec\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/fixmbr|/fixboot|/rebuildbcd|/scanos)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdboot\.exe%'
          AND LOWER("Command") NOT SIMILAR TO '%/help%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN ("File Path" IS NOT NULL
          AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%') THEN 'BootFileWrite'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    /* Firmware tool execution */
    LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%'
    OR LOWER("Command") SIMILAR TO '%(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)%'
    /* Raw disk access */
    OR (
      LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%'
    )
    /* Boot config modification */
    OR (
      LOWER("Process Name") SIMILAR TO '%(bcdedit\.exe|bootrec\.exe|bcdboot\.exe)%'
      AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue|/fixmbr|/fixboot|/rebuildbcd|/scanos)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%'
    )
    /* Boot file writes via Sysmon event 11 */
    OR (
      "File Path" IS NOT NULL
      AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%'
    )
  )
ORDER BY starttime DESC

AQL query detecting Pre-OS Boot (T1542) persistence mechanisms across QRadar event sources including firmware tool execution, raw disk handle access indicating MBR/VBR tampering, boot configuration changes via bcdedit/bootrec/bcdboot, and unauthorized EFI/bootloader file writes. Aggregates detections from Windows Security Event Log and Sysmon log sources.

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Forwarding QRadar DSM for Windows

Required Tables

events

False Positives

Authorized firmware update utilities deployed by IT teams through SCCM or Intune — these will show parent processes like svchost.exe or msiexec.exe and originate from trusted software distribution paths
Windows OS in-place upgrade or repair operations that legitimately rewrite bootloader components — event context will show TrustedInstaller or setuphost.exe as initiating process
Penetration test or red team exercises using CHIPSEC or RWEverything under authorized change control — correlate with approved change window tickets

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<User>*</User>" as event_user nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize to lowercase for matching
| toLowerCase(process_image) as proc_lower
| toLowerCase(command_line) as cmd_lower
| toLowerCase(parent_image) as parent_lower
| toLowerCase(target_filename) as target_lower
// Detection branch 1: Firmware tool execution
| if (event_id = "1" AND (
    matches(proc_lower, ".*(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate).*") OR
    matches(cmd_lower, ".*(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64).*")
  ), 1, 0) as firmware_tool_exec
// Detection branch 2: Raw disk handle access
| if (event_id = "1" AND
    (matches(cmd_lower, ".*(\\\\.\\\\physicaldrive|\\\\.\\\\harddisk|\\\\device\\\\harddisk).*")) AND
    !matches(proc_lower, ".*(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup).*") AND
    !matches(parent_lower, ".*(services\.exe|wininit\.exe|smss\.exe).*")
  , 1, 0) as raw_disk_access
// Detection branch 3: Boot config modification
| if (event_id = "1" AND (
    (matches(proc_lower, ".*bcdedit\.exe.*") AND matches(cmd_lower, ".*/set|/create|/delete|/import|/store|/deletevalue.*")) OR
    (matches(proc_lower, ".*bootrec\.exe.*") AND matches(cmd_lower, ".*/fixmbr|/fixboot|/rebuildbcd|/scanos.*")) OR
    (matches(proc_lower, ".*bcdboot\.exe.*") AND !matches(cmd_lower, ".*/help.*"))
  ) AND !matches(parent_lower, ".*(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe).*")
  , 1, 0) as boot_config_mod
// Detection branch 4: EFI/Boot file write
| if (event_id = "11" AND
    (matches(target_lower, ".*(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr|ntldr).*")) AND
    !matches(proc_lower, ".*(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe).*")
  , 1, 0) as boot_file_write
// Compute suspicion score
| num(firmware_tool_exec) + num(raw_disk_access) + num(boot_config_mod) + num(boot_file_write) as suspicion_score
| where suspicion_score > 0
// Build detection type list
| if(firmware_tool_exec=1, "FirmwareToolExecution", "") as d1
| if(raw_disk_access=1, "RawDiskAccess", "") as d2
| if(boot_config_mod=1, "BootConfigModification", "") as d3
| if(boot_file_write=1, "BootFileWrite", "") as d4
| concat(d1, if(d1!="" AND (d2!="" OR d3!="" OR d4!=""), ",", ""), d2, if(d2!="" AND (d3!="" OR d4!=""), ",", ""), d3, if(d3!="" AND d4!="", ",", ""), d4) as detection_types
| fields hostname, event_user, proc_lower, cmd_lower, parent_lower, target_lower, detection_types, suspicion_score
| sort by _messageTime desc

Sumo Logic CSE query detecting Pre-OS Boot persistence (MITRE T1542) via Sysmon event parsing. Identifies firmware manipulation tools, raw disk handle access for MBR/VBR modification, boot configuration changes, and unauthorized writes to EFI/bootloader files. Computes a composite suspicion score and classifies detections by type.

critical severity high confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Log Sumo Logic Installed Collector with Windows source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Vendor firmware update tools executed via enterprise management software (SCCM, Intune, Tanium) — these will appear with parent processes such as CcmExec.exe or msiexec.exe originating from managed software distribution paths
bcdedit.exe invocations during Windows Autopilot or MDT deployment sequences where the parent is setuphost.exe or a deployment framework agent
Dual-boot Linux systems running update-grub or grub-install during kernel updates, which generates EFI directory file writes under legitimate package manager parent processes

Google Chronicle / SecOps

yaral

rule pre_os_boot_persistence_t1542 {
  meta:
    author = "df00tech"
    description = "Detects Pre-OS Boot persistence attempts (MITRE T1542) including firmware tool execution, raw disk handle access, boot configuration modification, and EFI/bootloader file writes"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1542"
    mitre_attack_subtechniques = "T1542.001, T1542.002, T1542.003"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-20"
    platforms = "Windows"

  events:
    // Branch 1: Known firmware manipulation tool execution
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.target.process.file.full_path, `(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)`)
        or re.regex($e1.target.process.command_line, `(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)`)
      )
    )
    or
    // Branch 2: Raw disk handle access (MBR/VBR access)
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.command_line, `(?i)(physicaldrive|\\.\\harddisk|\\device\\harddisk)`)
      and not re.regex($e1.target.process.file.full_path, `(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe`)
      and not re.regex($e1.principal.process.file.full_path, `(?i)(services|wininit|smss)\.exe`)
    )
    or
    // Branch 3: Boot configuration modification
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          re.regex($e1.target.process.file.full_path, `(?i)bcdedit\.exe`)
          and re.regex($e1.target.process.command_line, `(?i)(/set|/create|/delete|/import|/store|/deletevalue)`)
          and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
        )
        or (
          re.regex($e1.target.process.file.full_path, `(?i)bootrec\.exe`)
          and re.regex($e1.target.process.command_line, `(?i)(/fixmbr|/fixboot|/rebuildbcd|/scanos)`)
        )
        or (
          re.regex($e1.target.process.file.full_path, `(?i)bcdboot\.exe`)
          and not re.regex($e1.target.process.command_line, `(?i)/help`)
          and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
        )
      )
    )
    or
    // Branch 4: EFI or bootloader file creation/modification
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr$|ntldr$)`)
      )
      and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|fwupdmgr|bootupd|wininit|svchost)\.exe`)
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting Pre-OS Boot persistence (MITRE T1542) through four behavioral branches: firmware manipulation tool execution (CHIPSEC, RWEverything, flashrom, AMIBCP), raw disk handle access indicating MBR/VBR manipulation, boot configuration modification via bcdedit/bootrec/bcdboot without legitimate parent processes, and unauthorized EFI/bootloader file creation. Uses UDM fields for process and file event correlation.

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder Sysmon forwarded to Chronicle

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Legitimate UEFI firmware updates deployed through OEM tools (Dell BIOSConnect, HP BIOS Flash, Lenovo Thin Installer) where the initiating process is a vendor-signed updater or Windows Update agent
Windows Servicing operations during major OS updates (feature upgrades, cumulative updates with bootloader revisions) initiated by TrustedInstaller.exe or WaasMedicAgent.exe
Enterprise imaging workflows using Microsoft Deployment Toolkit (MDT) or WDS where bcdedit and bcdboot are invoked by deployment framework parent processes during OS provisioning

CrowdStrike LogScale (CQL)

cql

// Pre-OS Boot Persistence Detection (T1542)
// Branch 1: Firmware tool execution
#event_simpleName=ProcessRollup2
| FileName = /(?i)(rweverything|rwe\.exe|rw\.exe|chipsec_main|chipsec\.exe|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve-w-pexe64|h2offt-w|h2ouve\.exe|amibcp|amidewin64|amidewin\.exe|fwupdatelocalapp|firmwareupdate)/
  OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|biosflash|winflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64|memanuf)/
| DetectionType := "FirmwareToolExecution"

// Branch 2: Raw disk handle access
| case {
    #event_simpleName=ProcessRollup2
    AND CommandLine = /(?i)(physicaldrive|\\.\\.\\harddisk|\\device\\harddisk)/
    AND NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
    AND NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
    | DetectionType := "RawDiskAccess" ;
    * | DetectionType := DetectionType
  }

// Use a union approach — run both patterns
(
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)/
    OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)/
  | DetectionType := "FirmwareToolExecution"
)

OR (
  #event_simpleName=ProcessRollup2
  | CommandLine = /(?i)(physicaldrive|\.\\harddisk|\\device\\harddisk)/
  | NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
  | NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
  | DetectionType := "RawDiskAccess"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bcdedit\.exe/
  | CommandLine = /(?i)(\/set|\/create|\/delete|\/import|\/store|\/deletevalue)/
  | NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
  | DetectionType := "BootConfigModification_bcdedit"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bootrec\.exe/
  | CommandLine = /(?i)(\/fixmbr|\/fixboot|\/rebuildbcd|\/scanos)/
  | DetectionType := "BootConfigModification_bootrec"
)

OR (
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)bcdboot\.exe/
  | NOT CommandLine = /(?i)\/help/
  | NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
  | DetectionType := "BootConfigModification_bcdboot"
)

OR (
  #event_simpleName=FileActionDone
  | FilePath = /(?i)(\\efi\\|\\boot\\bcd)/
    OR FileName = /(?i)(bootmgfw\.efi|bootx64\.efi|grubx64\.efi|shimx64\.efi|winload\.efi|bootmgr$|ntldr$)/
  | NOT ImageFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|bootupd|wininit|svchost)\.exe/
  | DetectionType := "BootFileWrite"
)

| groupBy([ComputerName, FileName, CommandLine, ParentBaseFileName, DetectionType], function=[
    count(aid, as=EventCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    collect(UserName, as=Users)
  ])
| sort(LastSeen, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting Pre-OS Boot persistence (MITRE T1542) using Falcon sensor events. Covers firmware manipulation tool execution via ProcessRollup2 events, raw disk handle access suggesting MBR/VBR tampering, boot configuration modification via bcdedit/bootrec/bcdboot without legitimate parents, and EFI/bootloader file writes via FileActionDone events. Results are grouped by host, process, and detection type with first/last seen timestamps.

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor ProcessRollup2 events Falcon sensor FileActionDone events

Required Tables

ProcessRollup2 FileActionDone

False Positives

OEM firmware update utilities executed by the Falcon-monitored endpoint during a sanctioned patching window — correlate ComputerName against change management records and verify the initiating process is a vendor-signed binary from a trusted install path
Microsoft Windows OS upgrade operations (in-place upgrade, feature update) that write to EFI/Boot paths — ParentBaseFileName will be TrustedInstaller.exe or setuphost.exe and the process chain will include Windows Update components
System administrators using bcdedit.exe interactively during troubleshooting of boot failures — cross-reference with IT ticketing system and validate UserName is a privileged admin account in an approved maintenance window

Sigma rule & cross-platform mapping

The detection logic for Pre-OS Boot (T1542) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1542 Sigma rules on detection.fyi

Platform-specific guides for T1542

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Boot Configuration Modification via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.
Test 2MBR Read via Raw Disk Handle (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.
Test 3MBR Sector Read via dd (Linux)
Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.
Test 4bootrec Scan for Windows Installations
Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Pre-OS Boot

What is T1542 Pre-OS Boot?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1542

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (5)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1542 Pre-OS Boot?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1542

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (5)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox