T1542.001 Sumo Logic CSE · Sumo

Detect System Firmware in Sumo Logic CSE

Adversaries may modify system firmware (BIOS or UEFI/EFI) to achieve persistent access that survives OS reinstallation and disk replacement. Because firmware executes before the operating system loads, malicious implants planted here are extremely difficult to detect and remove. Attackers typically require a vulnerable or attacker-supplied kernel-mode driver to gain ring-0 access to SPI flash memory before overwriting or patching the firmware image. Real-world examples include LoJax (Fancy Bear/APT28), which repurposed the legitimate LoJack anti-theft agent's UEFI module; Trojan.Mebromi, which modified the Award BIOS; and the Hacking Team UEFI Rootkit. Detection must focus on observable pre-conditions and side-effects: execution of firmware analysis and flashing utilities, loading of privileged hardware-access drivers, suspicious UEFI variable modification, and creation of raw firmware image files.

MITRE ATT&CK

Tactic
Persistence Defense Evasion
Technique
T1542 Pre-OS Boot
Sub-technique
T1542.001 System Firmware
Canonical reference
https://attack.mitre.org/techniques/T1542/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "6", "11", "7045", "4688")
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ImageLoaded: *" as ImageLoaded nodrop
| parse field=Message "TargetFilename: *" as TargetFilename nodrop
| parse field=Message "ServiceName: *" as ServiceName nodrop
| parse field=Message "ServiceFileName: *" as ServiceFileName nodrop
| parse field=Message "Signed: *" as Signed nodrop
| parse field=Message "Hashes: *" as Hashes nodrop
| where (
    (
      EventCode in ("1", "4688") and (
        Image matches "*chipsec.exe" or Image matches "*flashrom.exe" or
        Image matches "*RWEverything.exe" or Image matches "*RwDrv.exe" or
        Image matches "*AFUWIN.exe" or Image matches "*AFUWIN64.exe" or
        Image matches "*fpt.exe" or Image matches "*fptw.exe" or Image matches "*fptw64.exe" or
        Image matches "*FWUpdate.exe" or Image matches "*biosflash.exe" or
        Image matches "*meinfo.exe" or Image matches "*UEFITool.exe" or
        Image matches "*iflash.exe" or Image matches "*AmiBIOSCoreUtil.exe" or
        CommandLine matches "*chipsec*" or CommandLine matches "*flashrom*" or
        CommandLine matches "*SpiFlash*" or CommandLine matches "*bios.rom*" or
        CommandLine matches "*uefi.rom*" or CommandLine matches "*bios_backup*" or
        CommandLine matches "*flash_bios*" or CommandLine matches "*RWEverything*" or
        CommandLine matches "*writephysmem*" or CommandLine matches "*readphysmem*"
      )
    )
    or
    (
      EventCode = "6" and (
        ImageLoaded matches "*RwDrv.sys*" or ImageLoaded matches "*sednit.sys*" or
        ImageLoaded matches "*chipsec.sys*" or ImageLoaded matches "*WinIo.sys*" or
        ImageLoaded matches "*WinIo64.sys*" or ImageLoaded matches "*PhyMemX64.sys*" or
        ImageLoaded matches "*DirectIO64.sys*" or ImageLoaded matches "*asmmap64.sys*" or
        ImageLoaded matches "*gdrv.sys*" or ImageLoaded matches "*bsflash64.sys*" or
        ImageLoaded matches "*inpoutx64.sys*" or ImageLoaded matches "*hwrwdrv.sys*" or
        ImageLoaded matches "*lenovoemc.sys*" or ImageLoaded matches "*atkwio.sys*"
      )
    )
    or
    (
      EventCode = "7045" and (
        (
          (ServiceFileName matches "*\\Temp\\*" or ServiceFileName matches "*\\Users\\*" or
           ServiceFileName matches "*\\ProgramData\\*" or ServiceFileName matches "*\\Downloads\\*")
          and ServiceFileName matches "*.sys"
        )
        or ServiceName matches "*RwDrv*" or ServiceName matches "*chipsec*" or
        ServiceName matches "*WinIo*" or ServiceName matches "*DirectIO*" or
        ServiceName matches "*PhyMem*" or ServiceName matches "*asmmap*" or
        ServiceName matches "*gdrv*" or ServiceName matches "*inpout*"
      )
    )
    or
    (
      EventCode = "11" and (
        TargetFilename matches "*.rom" or TargetFilename matches "*.fd" or
        TargetFilename matches "*.cap" or
        (
          TargetFilename matches "*.bin" and
          not TargetFilename matches "*\\Windows\\*" and
          not TargetFilename matches "*\\Program Files\\*"
        )
      )
      and not (
        Image matches "*svchost.exe*" or Image matches "*MsMpEng.exe*" or
        Image matches "*TrustedInstaller.exe*"
      )
    )
  )
| eval DetectionType = if(EventCode in ("1","4688"), "FirmwareTool_Execution",
    if(EventCode = "6", "HardwareAccess_Driver_Load",
    if(EventCode = "7045", "SuspiciousKernelDriver_Installed",
    if(EventCode = "11", "FirmwareImage_FileCreated", "Unknown"))))
| eval IndicatorDetail = if(EventCode in ("1","4688"), concat("Process: ", Image, " | CMD: ", CommandLine),
    if(EventCode = "6", concat("Driver: ", ImageLoaded, " | Signed: ", Signed),
    if(EventCode = "7045", concat("Service: ", ServiceName, " | Path: ", ServiceFileName),
    if(EventCode = "11", concat("File: ", TargetFilename, " | By: ", Image), ""))))
| table _messagetime, Computer, User, DetectionType, IndicatorDetail, Hashes
| sort by _messagetime desc
critical severity high confidence

Sumo Logic detection for T1542.001 System Firmware using parsed Windows Security and Sysmon operational log messages. Parses key fields from EID 1/4688 (process creation), EID 6 (driver load), EID 7045 (service install), and EID 11 (file create) to match firmware tool execution, privileged hardware-access driver loads, suspicious kernel driver service registration, and raw firmware image artifact creation. Enriches each match with a DetectionType label and IndicatorDetail for triage, including driver signing status and SHA/MD5 hashes where available.

Data Sources

Sumo Logic Windows Event Log SourceSysmon Operational Log (via Sumo Logic Collector)Sumo Logic Cloud SIEM (CSE)

Required Tables

wineventlogsysmon

False Positives & Tuning

  • Automated BIOS/UEFI firmware updates deployed via OEM management platforms (Dell OMSA, HP iLO Amplifier Pack, Lenovo XClarity) that invoke flashing utilities and write firmware image files as part of scheduled patching
  • Red team or vulnerability assessment engagements using CHIPSEC to enumerate SPI flash write-protect register states — generates chipsec.sys driver load and process execution events on authorized targets
  • Embedded firmware development or QA lab systems where engineers regularly build and flash .rom/.bin images using AMI AFUWIN or Intel Flash Programming Tool as part of their standard development workflow
Download portable Sigma rule (.yml)

Other platforms for T1542.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate BIOS/UEFI Version and Vendor via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Win32_BIOS' and 'EfiEnvironment'. PowerShell ScriptBlock Log Event ID 4104 with the full script. WMI activity logged in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Execute CHIPSEC Firmware Analysis Tool

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'chipsec'. Sysmon Event ID 6 (Driver Loaded): ImageLoaded ending in chipsec.sys, likely Signed=false. Windows System Event ID 7045: ServiceName=chipsec, ServiceFileName pointing to a temp path. If chipsec.sys is extracted to %TEMP%, Sysmon Event ID 11 (File Create) for chipsec.sys.

  3. Test 3Load RWEverything Privileged Hardware Access Driver (BYOVD Simulation)

    Expected signal: Windows System Event ID 7045: ServiceName=RwDrv, ServiceType=kernel mode driver, ServiceFileName=%TEMP%\RwDrv.sys. Windows System Event ID 7036: RwDrv service entered running state. Sysmon Event ID 6 (Driver Loaded): ImageLoaded=%TEMP%\RwDrv.sys with Signed and SignatureStatus fields. Security Event ID 4688 for sc.exe process creation.

  4. Test 4Create Fake Firmware Image File from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\bios_modified.rom, Image=powershell.exe. Sysmon Event ID 1 (Process Create): powershell.exe CommandLine containing 'bios_modified.rom' and 'WriteAllBytes'. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1542.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.002Component FirmwareT1542.003BootkitT1542.004ROMMONkitT1542.005TFTP Boot

Related Techniques

T1542Pre-OS BootT1542.003BootkitT1014RootkitT1068Exploitation for Privilege EscalationT1554Compromise Host Software BinaryT1195Supply Chain CompromiseT1601Modify System ImageT1027Obfuscated Files or InformationT1078Valid Accounts

Same Tactic: Persistence

Popular Detections