T1542.001

System Firmware

Adversaries may modify system firmware (BIOS or UEFI/EFI) to achieve persistent access that survives OS reinstallation and disk replacement. Because firmware executes before the operating system loads, malicious implants planted here are extremely difficult to detect and remove. Attackers typically require a vulnerable or attacker-supplied kernel-mode driver to gain ring-0 access to SPI flash memory before overwriting or patching the firmware image. Real-world examples include LoJax (Fancy Bear/APT28), which repurposed the legitimate LoJack anti-theft agent's UEFI module; Trojan.Mebromi, which modified the Award BIOS; and the Hacking Team UEFI Rootkit. Detection must focus on observable pre-conditions and side-effects: execution of firmware analysis and flashing utilities, loading of privileged hardware-access drivers, suspicious UEFI variable modification, and creation of raw firmware image files.

Microsoft Sentinel / Defender

kusto

let FirmwareToolNames = dynamic([
    "chipsec_main.py", "chipsec.exe", "flashrom.exe", "RwDrv.exe",
    "RWEverything.exe", "AFUWIN.exe", "AFUWIN64.exe", "fpt.exe",
    "fptw.exe", "fptw64.exe", "FWUpdate.exe", "biosflash.exe",
    "meinfo.exe", "meinfowin.exe", "AmiBIOSCoreUtil.exe",
    "bios.exe", "efi_extract.exe", "UEFITool.exe", "iflash.exe"
]);
let SuspiciousDriverNames = dynamic([
    "RwDrv.sys", "sednit.sys", "chipsec.sys", "WinIo.sys",
    "WinIo64.sys", "PhyMemX64.sys", "DirectIO64.sys",
    "asmmap64.sys", "gdrv.sys", "bsflash64.sys", "inpoutx64.sys",
    "hwrwdrv.sys", "lenovoemc.sys", "atkwio.sys"
]);
let FirmwareCLIPatterns = dynamic([
    "chipsec", "flashrom", "-spi", "--spi", "SpiFlash",
    "bios.rom", "firmware.rom", "uefi.rom", "bios.bin",
    "uefi.bin", "bios_backup", "flash_bios", "WriteToSMBios",
    "RWEverything", "WinPmem", "/writephysmem", "/readphysmem"
]);
// Branch 1: Execution of known firmware analysis or flashing tools
let FirmwareToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
    or ProcessCommandLine has_any (FirmwareCLIPatterns)
| extend AlertReason = "FirmwareTool_Execution",
         RiskDetail = strcat("Process: ", FileName, " | CMD: ", ProcessCommandLine);
// Branch 2: Loading of privileged hardware-access drivers (pre-requisite for SPI flash write)
let SuspiciousDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousDriverNames)
    or FolderPath has_any ("\\Temp\\", "\\Downloads\\", "\\AppData\\")
       and FileName endswith ".sys"
       and not(InitiatingProcessFileName in~ ("MsMpEng.exe", "svchost.exe", "services.exe"))
| extend AlertReason = "HardwareAccess_Driver_Load",
         RiskDetail = strcat("Driver: ", FileName, " | Path: ", FolderPath, " | Loaded by: ", InitiatingProcessFileName);
// Branch 3: Service installation of unsigned/suspicious kernel driver (Event 7045 equivalent via MDE)
let SuspiciousServiceInstall = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| where AdditionalFields has ".sys"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName),
         ServiceImagePath = tostring(parse_json(AdditionalFields).ServiceImagePath)
| where ServiceImagePath has_any ("\\Temp\\", "\\Users\\", "\\ProgramData\\")
    or ServiceName has_any ("RwDrv", "chipsec", "WinIo", "DirectIO", "PhyMem", "asmmap")
| extend AlertReason = "SuspiciousKernelDriver_Installed",
         RiskDetail = strcat("Service: ", ServiceName, " | Path: ", ServiceImagePath);
// Branch 4: Creation of raw firmware image files
let FirmwareImageCreated = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".rom" or FileName endswith ".fd" or FileName endswith ".cap"
    or (FileName endswith ".bin" and FolderPath !has "\\Windows\\"
        and FolderPath !has "\\Program Files\\"
        and not(InitiatingProcessFileName in~ ("svchost.exe", "MsMpEng.exe")))
| extend AlertReason = "FirmwareImage_FileCreated",
         RiskDetail = strcat("File: ", FileName, " | Path: ", FolderPath, " | Created by: ", InitiatingProcessFileName);
union FirmwareToolExecution, SuspiciousDriverLoad, SuspiciousServiceInstall, FirmwareImageCreated
| project Timestamp, DeviceName, AccountName, AlertReason, RiskDetail,
         FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Driver: Driver Load File: File Creation Windows Event Log: System (Service Install) Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceImageLoadEvents DeviceFileEvents DeviceEvents

False Positives

Legitimate BIOS updates applied by OEM vendor software (HP System Software Manager, Dell Command Update, Lenovo System Update) — these write .cap or .fd files and load vendor-signed flash drivers
Security researchers or IT administrators running chipsec or RWEverything for firmware integrity auditing — typically executed from identified IT asset accounts on designated systems
Hardware diagnostics tools bundled with workstation imaging suites that load low-level I/O drivers during provisioning
Firmware update components within enterprise software management agents (SCCM, BigFix) that temporarily install driver packages
Virtualization platforms and hypervisors loading signed hardware-access drivers for device passthrough or UEFI emulation

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:System")
(
  (EventCode=1
    (
      Image IN ("*\\chipsec.exe", "*\\flashrom.exe", "*\\RWEverything.exe", "*\\RwDrv.exe",
                "*\\AFUWIN.exe", "*\\AFUWIN64.exe", "*\\fpt.exe", "*\\fptw.exe", "*\\fptw64.exe",
                "*\\FWUpdate.exe", "*\\biosflash.exe", "*\\meinfo.exe", "*\\iflash.exe",
                "*\\UEFITool.exe", "*\\AmiBIOSCoreUtil.exe")
      OR match(CommandLine, "(?i)(chipsec|flashrom|SpiFlash|bios\.rom|uefi\.rom|bios\.bin|uefi\.bin|bios_backup|flash_bios|RWEverything|\/writephysmem|\/readphysmem)")
    )
  )
  OR
  (EventCode=6
    match(ImageLoaded, "(?i)(RwDrv\.sys|sednit\.sys|chipsec\.sys|WinIo\.sys|WinIo64\.sys|PhyMemX64\.sys|DirectIO64\.sys|asmmap64\.sys|gdrv\.sys|bsflash64\.sys|inpoutx64\.sys|hwrwdrv\.sys|lenovoemc\.sys)")
  )
  OR
  (EventCode=7045
    (
      match(ServiceFileName, "(?i)(\\\\Temp\\\\|\\\\Users\\\\|\\\\ProgramData\\\\|\\\\Downloads\\\\).*\.sys")
      OR match(ServiceName, "(?i)(RwDrv|chipsec|WinIo|DirectIO|PhyMem|asmmap|gdrv|inpout)")
    )
  )
  OR
  (EventCode=11
    match(TargetFilename, "(?i)\.(rom|fd|cap)$")
    NOT match(Image, "(?i)(svchost\.exe|MsMpEng\.exe|trustedinstaller\.exe|wuauclt\.exe)")
  )
)
| eval EventType=case(
    EventCode=1, "FirmwareTool_Execution",
    EventCode=6, "HardwareAccess_Driver_Load",
    EventCode=7045, "SuspiciousKernelDriver_Installed",
    EventCode=11, "FirmwareImage_FileCreated",
    true(), "Unknown"
  )
| eval IndicatorDetail=case(
    EventCode=1, "Process: ".Image." | CMD: ".CommandLine,
    EventCode=6, "Driver loaded: ".ImageLoaded." | Signed: ".Signed,
    EventCode=7045, "Service: ".ServiceName." | Path: ".ServiceFileName,
    EventCode=11, "File: ".TargetFilename." | By: ".Image,
    true(), ""
  )
| table _time, host, EventType, IndicatorDetail, User, Hashes, Signed
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation (Sysmon Event ID 1) Driver: Driver Load (Sysmon Event ID 6) Windows Event Log: System (Event ID 7045 — Service Installed) File: File Creation (Sysmon Event ID 11)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System

False Positives

Legitimate OEM BIOS update tools (Dell Command Update, HP BIOS Update, Lenovo Firmware Update) that load vendor-signed flash drivers and create .cap or .fd firmware image files
Security researchers running chipsec or UEFI forensic tooling on dedicated analysis hosts — should be excluded by hostname allowlist rather than process pattern
Enterprise device management platforms (SCCM, BigFix, Intune) that orchestrate BIOS updates and temporarily install vendor flash drivers with recognizable service names
Hardware diagnostics software bundled with workstation imaging that loads low-level I/O drivers during provisioning workflows
Dual-use security tools like RWEverything used by IT staff for hardware troubleshooting — should require explicit authorization

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("chipsec.exe", "flashrom.exe", "RWEverything.exe", "RwDrv.exe",
                         "AFUWIN.exe", "AFUWIN64.exe", "fpt.exe", "fptw.exe", "fptw64.exe",
                         "FWUpdate.exe", "biosflash.exe", "meinfo.exe", "meinfowin.exe",
                         "AmiBIOSCoreUtil.exe", "UEFITool.exe", "iflash.exe")
      or process.command_line : ("*chipsec*", "*flashrom*", "*SpiFlash*", "*bios.rom*",
                                   "*uefi.rom*", "*bios.bin*", "*bios_backup*", "*flash_bios*",
                                   "*RWEverything*", "*/writephysmem*", "*/readphysmem*")
    )
  )
  or
  (
    event.category == "driver" and
    (
      dll.name in~ ("RwDrv.sys", "sednit.sys", "chipsec.sys", "WinIo.sys", "WinIo64.sys",
                    "PhyMemX64.sys", "DirectIO64.sys", "asmmap64.sys", "gdrv.sys",
                    "bsflash64.sys", "inpoutx64.sys", "hwrwdrv.sys", "lenovoemc.sys", "atkwio.sys")
      or (
        dll.path : ("*\\Temp\\*", "*\\Downloads\\*", "*\\AppData\\*") and
        dll.name : "*.sys" and
        not process.name in~ ("MsMpEng.exe", "svchost.exe", "services.exe")
      )
    )
  )
  or
  (
    event.category == "file" and event.type == "creation" and
    (
      file.name : ("*.rom", "*.fd", "*.cap")
      or (
        file.name : "*.bin" and
        not file.path : ("C:\\Windows\\*", "C:\\Program Files\\*") and
        not process.name in~ ("svchost.exe", "MsMpEng.exe", "TrustedInstaller.exe")
      )
    )
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.*) Winlogbeat with Sysmon module Elastic Defend

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* logs-endpoint.events.file-* winlogbeat-*

False Positives

OEM vendor firmware update utilities (Dell Command Update, HP System Firmware Update, Lenovo Vantage) legitimately invoke AFUWIN64.exe or fpt.exe and create .cap or .bin files during scheduled BIOS update cycles
Authorized security researchers or hardware validation engineers using CHIPSEC to enumerate SPI flash write protections on designated test systems as part of platform security assessments
Enterprise hardware provisioning workflows where Intel ME Configuration Tool or AMI flash utilities are executed by IT during imaging to configure initial BIOS settings on new endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  devicestring AS Host,
  username AS User,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Image Loaded" AS ImageLoaded,
  "Target Filename" AS TargetFilename,
  "Service Name" AS ServiceName,
  "Service File Name" AS ServiceFileName,
  magnitude AS RiskScore
FROM events
WHERE LOGSOURCETYPEID IN (
  SELECT id FROM log_source_types
  WHERE name IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
)
AND starttime > NOW() - INTERVAL '1440' MINUTES
AND (
  (
    (QIDNAME(qid) LIKE '%Process Create%' OR QIDNAME(qid) LIKE '%new process has been created%')
    AND (
      "Process Name" ILIKE ANY (
        '%chipsec.exe', '%flashrom.exe', '%RWEverything.exe', '%RwDrv.exe',
        '%AFUWIN.exe', '%AFUWIN64.exe', '%fpt.exe', '%fptw.exe', '%fptw64.exe',
        '%FWUpdate.exe', '%biosflash.exe', '%meinfo.exe', '%meinfowin.exe',
        '%UEFITool.exe', '%iflash.exe', '%AmiBIOSCoreUtil.exe'
      )
      OR "Command Line" ILIKE ANY (
        '%chipsec%', '%flashrom%', '%SpiFlash%', '%bios.rom%', '%uefi.rom%',
        '%bios.bin%', '%bios_backup%', '%flash_bios%', '%RWEverything%',
        '%writephysmem%', '%readphysmem%'
      )
    )
  )
  OR (
    QIDNAME(qid) LIKE '%Driver Loaded%'
    AND "Image Loaded" ILIKE ANY (
      '%RwDrv.sys%', '%sednit.sys%', '%chipsec.sys%', '%WinIo.sys%',
      '%WinIo64.sys%', '%PhyMemX64.sys%', '%DirectIO64.sys%', '%asmmap64.sys%',
      '%gdrv.sys%', '%bsflash64.sys%', '%inpoutx64.sys%', '%hwrwdrv.sys%',
      '%lenovoemc.sys%', '%atkwio.sys%'
    )
  )
  OR (
    QIDNAME(qid) LIKE '%New Service Installed%'
    AND (
      (
        "Service File Name" ILIKE ANY ('%\\Temp\\%', '%\\Users\\%', '%\\ProgramData\\%', '%\\Downloads\\%')
        AND "Service File Name" ILIKE '%.sys%'
      )
      OR "Service Name" ILIKE ANY (
        '%RwDrv%', '%chipsec%', '%WinIo%', '%DirectIO%', '%PhyMem%',
        '%asmmap%', '%gdrv%', '%inpout%'
      )
    )
  )
  OR (
    QIDNAME(qid) LIKE '%File Created%'
    AND "Target Filename" ILIKE ANY ('%.rom', '%.fd', '%.cap')
    AND "Process Name" NOT ILIKE ANY ('%svchost.exe%', '%MsMpEng.exe%', '%TrustedInstaller.exe%')
  )
)
ORDER BY starttime DESC

critical severity high confidence

Data Sources

Windows Security Event Log (DSM) Microsoft Sysmon (DSM) QRadar Universal DSM

Required Tables

events

False Positives

Vendor-supplied BIOS/UEFI update packages from Dell OMSA, HP iLO Amplifier, or Lenovo XClarity legitimately execute AFUWIN64.exe or fpt.exe and may install signed driver services during managed firmware patch deployments
Authorized penetration testers using CHIPSEC (which registers chipsec.sys as a kernel service from a temp path) to validate firmware write-protect configurations on in-scope systems
Disk imaging and system backup software that includes firmware backup functionality, creating .bin files in user profile directories as pre-update recovery snapshots

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "6", "11", "7045", "4688")
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ImageLoaded: *" as ImageLoaded nodrop
| parse field=Message "TargetFilename: *" as TargetFilename nodrop
| parse field=Message "ServiceName: *" as ServiceName nodrop
| parse field=Message "ServiceFileName: *" as ServiceFileName nodrop
| parse field=Message "Signed: *" as Signed nodrop
| parse field=Message "Hashes: *" as Hashes nodrop
| where (
    (
      EventCode in ("1", "4688") and (
        Image matches "*chipsec.exe" or Image matches "*flashrom.exe" or
        Image matches "*RWEverything.exe" or Image matches "*RwDrv.exe" or
        Image matches "*AFUWIN.exe" or Image matches "*AFUWIN64.exe" or
        Image matches "*fpt.exe" or Image matches "*fptw.exe" or Image matches "*fptw64.exe" or
        Image matches "*FWUpdate.exe" or Image matches "*biosflash.exe" or
        Image matches "*meinfo.exe" or Image matches "*UEFITool.exe" or
        Image matches "*iflash.exe" or Image matches "*AmiBIOSCoreUtil.exe" or
        CommandLine matches "*chipsec*" or CommandLine matches "*flashrom*" or
        CommandLine matches "*SpiFlash*" or CommandLine matches "*bios.rom*" or
        CommandLine matches "*uefi.rom*" or CommandLine matches "*bios_backup*" or
        CommandLine matches "*flash_bios*" or CommandLine matches "*RWEverything*" or
        CommandLine matches "*writephysmem*" or CommandLine matches "*readphysmem*"
      )
    )
    or
    (
      EventCode = "6" and (
        ImageLoaded matches "*RwDrv.sys*" or ImageLoaded matches "*sednit.sys*" or
        ImageLoaded matches "*chipsec.sys*" or ImageLoaded matches "*WinIo.sys*" or
        ImageLoaded matches "*WinIo64.sys*" or ImageLoaded matches "*PhyMemX64.sys*" or
        ImageLoaded matches "*DirectIO64.sys*" or ImageLoaded matches "*asmmap64.sys*" or
        ImageLoaded matches "*gdrv.sys*" or ImageLoaded matches "*bsflash64.sys*" or
        ImageLoaded matches "*inpoutx64.sys*" or ImageLoaded matches "*hwrwdrv.sys*" or
        ImageLoaded matches "*lenovoemc.sys*" or ImageLoaded matches "*atkwio.sys*"
      )
    )
    or
    (
      EventCode = "7045" and (
        (
          (ServiceFileName matches "*\\Temp\\*" or ServiceFileName matches "*\\Users\\*" or
           ServiceFileName matches "*\\ProgramData\\*" or ServiceFileName matches "*\\Downloads\\*")
          and ServiceFileName matches "*.sys"
        )
        or ServiceName matches "*RwDrv*" or ServiceName matches "*chipsec*" or
        ServiceName matches "*WinIo*" or ServiceName matches "*DirectIO*" or
        ServiceName matches "*PhyMem*" or ServiceName matches "*asmmap*" or
        ServiceName matches "*gdrv*" or ServiceName matches "*inpout*"
      )
    )
    or
    (
      EventCode = "11" and (
        TargetFilename matches "*.rom" or TargetFilename matches "*.fd" or
        TargetFilename matches "*.cap" or
        (
          TargetFilename matches "*.bin" and
          not TargetFilename matches "*\\Windows\\*" and
          not TargetFilename matches "*\\Program Files\\*"
        )
      )
      and not (
        Image matches "*svchost.exe*" or Image matches "*MsMpEng.exe*" or
        Image matches "*TrustedInstaller.exe*"
      )
    )
  )
| eval DetectionType = if(EventCode in ("1","4688"), "FirmwareTool_Execution",
    if(EventCode = "6", "HardwareAccess_Driver_Load",
    if(EventCode = "7045", "SuspiciousKernelDriver_Installed",
    if(EventCode = "11", "FirmwareImage_FileCreated", "Unknown"))))
| eval IndicatorDetail = if(EventCode in ("1","4688"), concat("Process: ", Image, " | CMD: ", CommandLine),
    if(EventCode = "6", concat("Driver: ", ImageLoaded, " | Signed: ", Signed),
    if(EventCode = "7045", concat("Service: ", ServiceName, " | Path: ", ServiceFileName),
    if(EventCode = "11", concat("File: ", TargetFilename, " | By: ", Image), ""))))
| table _messagetime, Computer, User, DetectionType, IndicatorDetail, Hashes
| sort by _messagetime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Event Log Source Sysmon Operational Log (via Sumo Logic Collector) Sumo Logic Cloud SIEM (CSE)

Required Tables

wineventlog sysmon

False Positives

Automated BIOS/UEFI firmware updates deployed via OEM management platforms (Dell OMSA, HP iLO Amplifier Pack, Lenovo XClarity) that invoke flashing utilities and write firmware image files as part of scheduled patching
Red team or vulnerability assessment engagements using CHIPSEC to enumerate SPI flash write-protect register states — generates chipsec.sys driver load and process execution events on authorized targets
Embedded firmware development or QA lab systems where engineers regularly build and flash .rom/.bin images using AMI AFUWIN or Intel Flash Programming Tool as part of their standard development workflow

Google Chronicle / SecOps

yaral

rule t1542_001_system_firmware {
  meta:
    author = "df00tech"
    description = "Detects T1542.001 System Firmware: firmware analysis/flashing tools, privileged hardware-access kernel drivers enabling SPI flash write, and raw firmware image creation indicative of UEFI/BIOS implant staging"
    mitre_attack_technique = "T1542.001"
    mitre_attack_tactic = "Persistence, Defense Evasion"
    severity = "CRITICAL"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        $e.principal.process.file.full_path = /(?i)(chipsec\.exe|flashrom\.exe|RWEverything\.exe|RwDrv\.exe|AFUWIN64?\.exe|fptw?64?\.exe|FWUpdate\.exe|biosflash\.exe|meinfo\.exe|UEFITool\.exe|iflash\.exe|AmiBIOSCoreUtil\.exe)/ nocase
        or $e.principal.process.command_line = /(?i)(chipsec|flashrom|SpiFlash|bios\.rom|uefi\.rom|bios\.bin|bios_backup|flash_bios|RWEverything|writephysmem|readphysmem)/ nocase
      )
    )
    or
    (
      $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
      $e.target.file.full_path = /(?i)(RwDrv\.sys|sednit\.sys|chipsec\.sys|WinIo64?\.sys|PhyMemX64\.sys|DirectIO64\.sys|asmmap64\.sys|gdrv\.sys|bsflash64\.sys|inpoutx64\.sys|hwrwdrv\.sys|lenovoemc\.sys|atkwio\.sys)/ nocase
    )
    or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      (
        $e.target.file.full_path = /(?i)\.(rom|fd|cap)$/ nocase
        or (
          $e.target.file.full_path = /(?i)\.bin$/ nocase and
          not $e.target.file.full_path = /(?i)(\\Windows\\|\\Program Files\\)/ nocase and
          not $e.principal.process.file.full_path = /(?i)(svchost\.exe|MsMpEng\.exe|TrustedInstaller\.exe)/ nocase
        )
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM (via Chronicle Forwarder) Windows Endpoint (Sysmon events ingested via Chronicle) CrowdStrike or SentinelOne UDM-normalized telemetry

Required Tables

UDM Events (PROCESS_LAUNCH, PROCESS_MODULE_LOAD, FILE_CREATION)

False Positives

OEM firmware update utilities triggered by Windows Update or vendor management agents (Dell SupportAssist, HP Support Solutions) that load signed flashing tools and write .cap or .bin update packages to user-accessible staging directories
Authorized hardware penetration testers running CHIPSEC (triggering chipsec.sys PROCESS_MODULE_LOAD and process launch events) to enumerate SPI flash write-protect register states on in-scope systems
IT provisioning engineers executing Intel FPT (fpt.exe) or AMI AFUWIN during bare-metal imaging workflows to pre-configure BIOS settings before OS deployment

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "DriverLoad", "FileCreate", "ServiceInstall")
| case {
    #event_simpleName = "ProcessRollup2"
    | where
      ImageFileName = /(?i)(chipsec\.exe|flashrom\.exe|RWEverything\.exe|RwDrv\.exe|AFUWIN64?\.exe|fptw?64?\.exe|FWUpdate\.exe|biosflash\.exe|meinfo\.exe|UEFITool\.exe|iflash\.exe|AmiBIOSCoreUtil\.exe)/
      OR CommandLine = /(?i)(chipsec|flashrom|SpiFlash|bios\.rom|uefi\.rom|bios\.bin|bios_backup|flash_bios|RWEverything|writephysmem|readphysmem)/
    | DetectionType := "FirmwareTool_Execution"
    | IndicatorDetail := format("Process: %s | CMD: %s", ImageFileName, CommandLine) ;

    #event_simpleName = "DriverLoad"
    | where
      ImageFileName = /(?i)(RwDrv\.sys|sednit\.sys|chipsec\.sys|WinIo64?\.sys|PhyMemX64\.sys|DirectIO64\.sys|asmmap64\.sys|gdrv\.sys|bsflash64\.sys|inpoutx64\.sys|hwrwdrv\.sys|lenovoemc\.sys|atkwio\.sys)/
    | DetectionType := "HardwareAccess_Driver_Load"
    | IndicatorDetail := format("Driver: %s", ImageFileName) ;

    #event_simpleName = "ServiceInstall"
    | where
      (
        ServiceFileName = /(?i)(\\Temp\\|\\Users\\|\\ProgramData\\|\\Downloads\\)/
        AND ServiceFileName = /\.sys$/i
      )
      OR ServiceName = /(?i)(RwDrv|chipsec|WinIo|DirectIO|PhyMem|asmmap|gdrv|inpout)/
    | DetectionType := "SuspiciousKernelDriver_Installed"
    | IndicatorDetail := format("Service: %s | Path: %s", ServiceName, ServiceFileName) ;

    #event_simpleName = "FileCreate"
    | where
      (
        TargetFileName = /(?i)\.(rom|fd|cap)$/
        OR (
          TargetFileName = /(?i)\.bin$/
          AND NOT TargetFileName = /(?i)(\\Windows\\|\\Program Files\\)/
        )
      )
      AND NOT ImageFileName = /(?i)(svchost\.exe|MsMpEng\.exe|TrustedInstaller\.exe)/
    | DetectionType := "FirmwareImage_FileCreated"
    | IndicatorDetail := format("File: %s | By: %s", TargetFileName, ImageFileName) ;
  }
| table([#timestamp, ComputerName, UserName, DetectionType, IndicatorDetail, ImageFileName, CommandLine, TargetFileName, MD5HashData, SHA256HashData])
| sort(field=#timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR Falcon Prevent (EPP) LogScale Falcon Event Stream (FDR)

Required Tables

ProcessRollup2 DriverLoad ServiceInstall FileCreate

False Positives

Legitimate BIOS update workflows initiated by Lenovo Vantage, Dell SupportAssist, or HP Support Solutions Framework that invoke vendor-signed AFUWIN64.exe or fpt.exe and write .cap or .bin firmware update packages to staging directories
Authorized security assessments using CHIPSEC — which registers chipsec.sys as a kernel driver service loaded from a temporary path — to validate SPI write-protect configurations on approved test endpoints
Hardware OEM quality assurance environments where Intel Flash Programming Tool (fpt.exe) and associated drivers are executed routinely by engineers to verify firmware integrity across device configurations

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.002Component Firmware T1542.003Bootkit T1542.004ROMMONkit T1542.005TFTP Boot

System Firmware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections