Detect System Firmware in Microsoft Sentinel
Adversaries may modify system firmware (BIOS or UEFI/EFI) to achieve persistent access that survives OS reinstallation and disk replacement. Because firmware executes before the operating system loads, malicious implants planted here are extremely difficult to detect and remove. Attackers typically require a vulnerable or attacker-supplied kernel-mode driver to gain ring-0 access to SPI flash memory before overwriting or patching the firmware image. Real-world examples include LoJax (Fancy Bear/APT28), which repurposed the legitimate LoJack anti-theft agent's UEFI module; Trojan.Mebromi, which modified the Award BIOS; and the Hacking Team UEFI Rootkit. Detection must focus on observable pre-conditions and side-effects: execution of firmware analysis and flashing utilities, loading of privileged hardware-access drivers, suspicious UEFI variable modification, and creation of raw firmware image files.
MITRE ATT&CK
- Tactic
- Persistence Defense Evasion
- Technique
- T1542 Pre-OS Boot
- Sub-technique
- T1542.001 System Firmware
- Canonical reference
- https://attack.mitre.org/techniques/T1542/001/
KQL Detection Query
let FirmwareToolNames = dynamic([
"chipsec_main.py", "chipsec.exe", "flashrom.exe", "RwDrv.exe",
"RWEverything.exe", "AFUWIN.exe", "AFUWIN64.exe", "fpt.exe",
"fptw.exe", "fptw64.exe", "FWUpdate.exe", "biosflash.exe",
"meinfo.exe", "meinfowin.exe", "AmiBIOSCoreUtil.exe",
"bios.exe", "efi_extract.exe", "UEFITool.exe", "iflash.exe"
]);
let SuspiciousDriverNames = dynamic([
"RwDrv.sys", "sednit.sys", "chipsec.sys", "WinIo.sys",
"WinIo64.sys", "PhyMemX64.sys", "DirectIO64.sys",
"asmmap64.sys", "gdrv.sys", "bsflash64.sys", "inpoutx64.sys",
"hwrwdrv.sys", "lenovoemc.sys", "atkwio.sys"
]);
let FirmwareCLIPatterns = dynamic([
"chipsec", "flashrom", "-spi", "--spi", "SpiFlash",
"bios.rom", "firmware.rom", "uefi.rom", "bios.bin",
"uefi.bin", "bios_backup", "flash_bios", "WriteToSMBios",
"RWEverything", "WinPmem", "/writephysmem", "/readphysmem"
]);
// Branch 1: Execution of known firmware analysis or flashing tools
let FirmwareToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
or ProcessCommandLine has_any (FirmwareCLIPatterns)
| extend AlertReason = "FirmwareTool_Execution",
RiskDetail = strcat("Process: ", FileName, " | CMD: ", ProcessCommandLine);
// Branch 2: Loading of privileged hardware-access drivers (pre-requisite for SPI flash write)
let SuspiciousDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousDriverNames)
or FolderPath has_any ("\\Temp\\", "\\Downloads\\", "\\AppData\\")
and FileName endswith ".sys"
and not(InitiatingProcessFileName in~ ("MsMpEng.exe", "svchost.exe", "services.exe"))
| extend AlertReason = "HardwareAccess_Driver_Load",
RiskDetail = strcat("Driver: ", FileName, " | Path: ", FolderPath, " | Loaded by: ", InitiatingProcessFileName);
// Branch 3: Service installation of unsigned/suspicious kernel driver (Event 7045 equivalent via MDE)
let SuspiciousServiceInstall = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| where AdditionalFields has ".sys"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName),
ServiceImagePath = tostring(parse_json(AdditionalFields).ServiceImagePath)
| where ServiceImagePath has_any ("\\Temp\\", "\\Users\\", "\\ProgramData\\")
or ServiceName has_any ("RwDrv", "chipsec", "WinIo", "DirectIO", "PhyMem", "asmmap")
| extend AlertReason = "SuspiciousKernelDriver_Installed",
RiskDetail = strcat("Service: ", ServiceName, " | Path: ", ServiceImagePath);
// Branch 4: Creation of raw firmware image files
let FirmwareImageCreated = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".rom" or FileName endswith ".fd" or FileName endswith ".cap"
or (FileName endswith ".bin" and FolderPath !has "\\Windows\\"
and FolderPath !has "\\Program Files\\"
and not(InitiatingProcessFileName in~ ("svchost.exe", "MsMpEng.exe")))
| extend AlertReason = "FirmwareImage_FileCreated",
RiskDetail = strcat("File: ", FileName, " | Path: ", FolderPath, " | Created by: ", InitiatingProcessFileName);
union FirmwareToolExecution, SuspiciousDriverLoad, SuspiciousServiceInstall, FirmwareImageCreated
| project Timestamp, DeviceName, AccountName, AlertReason, RiskDetail,
FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp descMulti-branch detection for BIOS/UEFI firmware attack precursors and indicators using Microsoft Defender for Endpoint tables. Branch 1 identifies execution of known firmware flashing and analysis utilities (chipsec, flashrom, AMI AFU, Intel FPT, RWEverything). Branch 2 detects loading of privileged hardware-access kernel drivers commonly used to gain ring-0 SPI flash access (RwDrv.sys, WinIo.sys, DirectIO64.sys). Branch 3 catches kernel driver service installation from anomalous filesystem paths. Branch 4 flags creation of raw firmware image files (.rom, .fd, .cap, .bin) by non-system processes. Each branch emits an AlertReason field to aid analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate BIOS updates applied by OEM vendor software (HP System Software Manager, Dell Command Update, Lenovo System Update) — these write .cap or .fd files and load vendor-signed flash drivers
- Security researchers or IT administrators running chipsec or RWEverything for firmware integrity auditing — typically executed from identified IT asset accounts on designated systems
- Hardware diagnostics tools bundled with workstation imaging suites that load low-level I/O drivers during provisioning
- Firmware update components within enterprise software management agents (SCCM, BigFix) that temporarily install driver packages
- Virtualization platforms and hypervisors loading signed hardware-access drivers for device passthrough or UEFI emulation
Other platforms for T1542.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate BIOS/UEFI Version and Vendor via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Win32_BIOS' and 'EfiEnvironment'. PowerShell ScriptBlock Log Event ID 4104 with the full script. WMI activity logged in Microsoft-Windows-WMI-Activity/Operational.
- Test 2Execute CHIPSEC Firmware Analysis Tool
Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'chipsec'. Sysmon Event ID 6 (Driver Loaded): ImageLoaded ending in chipsec.sys, likely Signed=false. Windows System Event ID 7045: ServiceName=chipsec, ServiceFileName pointing to a temp path. If chipsec.sys is extracted to %TEMP%, Sysmon Event ID 11 (File Create) for chipsec.sys.
- Test 3Load RWEverything Privileged Hardware Access Driver (BYOVD Simulation)
Expected signal: Windows System Event ID 7045: ServiceName=RwDrv, ServiceType=kernel mode driver, ServiceFileName=%TEMP%\RwDrv.sys. Windows System Event ID 7036: RwDrv service entered running state. Sysmon Event ID 6 (Driver Loaded): ImageLoaded=%TEMP%\RwDrv.sys with Signed and SignatureStatus fields. Security Event ID 4688 for sc.exe process creation.
- Test 4Create Fake Firmware Image File from Non-System Process
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\bios_modified.rom, Image=powershell.exe. Sysmon Event ID 1 (Process Create): powershell.exe CommandLine containing 'bios_modified.rom' and 'WriteAllBytes'. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
References (10)
- https://attack.mitre.org/techniques/T1542/001/
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
- https://github.com/chipsec/chipsec
- https://loldrivers.io/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
- https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html
- https://www.blackhat.com/docs/us-17/thursday/us-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf
- https://eclypsium.com/research/the-firmware-supply-chain-problem/
Unlock Pro Content
Get the full detection package for T1542.001 including response playbook, investigation guide, and atomic red team tests.