T1542.002

Component Firmware

Adversaries may modify component firmware to persist on systems. Some adversaries employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware (T1542.001) but conducted upon other system components such as hard drives, network interface cards, and other peripheral devices that may not have the same level of integrity checking. Malicious component firmware provides persistent access that survives disk reimaging, OS reinstallation, and most host-based defenses. Notable examples include the Equation Group's capability to overwrite hard drive firmware across multiple manufacturers (Seagate, Western Digital, Toshiba) and Cyclops Blink's persistent firmware patching of WatchGuard network devices.

Microsoft Sentinel / Defender

kusto

let FirmwareModificationTools = dynamic([
    "hdparm", "flashrom", "nvflash", "fwupdmgr", "fwupd-tool",
    "afuwin", "afudos", "amiflash", "awdflash", "mflash",
    "ethtool", "sg_write_buffer", "sg3_utils", "nvme", "sdparm",
    "atapwd", "nls_933w"
]);
let WriteOperationArgs = dynamic([
    "--write-sector", "--yes-i-know-what-i-am-doing",
    "security-set-pass", "security-unlock", "security-erase",
    "security-disable", "--flash", "writedmabuf",
    "--fwdl", "--fw-download", "-d firmware", "download_fw"
]);
let RawDevicePaths = dynamic([
    "\\\\.\\PhysicalDrive", "\\\\.\\SCSI", "\\Device\\Harddisk",
    "/dev/sda", "/dev/sdb", "/dev/sdc", "/dev/nvme", "/dev/hda", "/dev/hdb"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareModificationTools)
    or (ProcessCommandLine has_any (FirmwareModificationTools)
        and ProcessCommandLine has_any (WriteOperationArgs))
    or ProcessCommandLine has_any (RawDevicePaths)
| extend IsFirmwareTool = FileName has_any (FirmwareModificationTools)
| extend IsWriteOperation = ProcessCommandLine has_any (WriteOperationArgs)
| extend IsRawDeviceAccess = ProcessCommandLine has_any (RawDevicePaths)
| extend SuspicionScore = toint(IsFirmwareTool) + toint(IsWriteOperation) + toint(IsRawDeviceAccess)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256,
         IsFirmwareTool, IsWriteOperation, IsRawDeviceAccess, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate firmware updates from hardware vendors pushed via enterprise management tools such as Dell Command Update, HP Client Management Script Library, or Lenovo System Update Service
IT administrators using hdparm or smartctl for read-only disk health diagnostics (hdparm -I, smartctl -a) — distinguish read versus write operations via command arguments
Network administrators using ethtool for NIC diagnostics and authorized firmware updates on managed switches or HBAs during approved maintenance windows
Automated OEM diagnostic agents that enumerate raw device paths for hardware inventory, health checks, or pre-boot environment reporting

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name : ("hdparm", "flashrom", "nvflash", "fwupdmgr", "fwupd-tool", "afuwin", "afudos", "amiflash", "awdflash", "mflash", "ethtool", "sg_write_buffer", "sg3_utils", "nvme", "sdparm", "atapwd", "nls_933w") or
    process.args : ("--write-sector", "--yes-i-know-what-i-am-doing", "security-set-pass", "security-unlock", "security-erase", "security-disable", "--flash", "writedmabuf", "--fwdl", "--fw-download", "-d firmware", "download_fw") or
    process.args : ("/dev/sda", "/dev/sdb", "/dev/sdc", "/dev/nvme*", "/dev/hda", "/dev/hdb", "\\\\.\\PhysicalDrive*", "\\Device\\Harddisk*")
  )
]

// Alternatively, single-event form for broader coverage:
process where event.type == "start" and (
  (
    process.name : ("hdparm", "flashrom", "nvflash", "fwupdmgr", "fwupd-tool", "afuwin", "afudos", "amiflash", "awdflash", "mflash", "ethtool", "sg_write_buffer", "sg3_utils", "nvme", "sdparm", "atapwd", "nls_933w") and
    process.args : ("--write-sector", "--yes-i-know-what-i-am-doing", "security-set-pass", "security-unlock", "security-erase", "security-disable", "--flash", "writedmabuf", "--fwdl", "--fw-download", "-d firmware", "download_fw")
  ) or
  (
    process.name : ("hdparm", "flashrom", "nvflash", "fwupdmgr", "fwupd-tool", "afuwin", "afudos", "amiflash", "awdflash", "mflash", "ethtool", "sg_write_buffer") and
    process.args : ("/dev/sda", "/dev/sdb", "/dev/sdc", "/dev/nvme*", "/dev/hda", "/dev/hdb")
  ) or
  (
    process.args : ("--yes-i-know-what-i-am-doing") and
    process.args : ("--write-sector", "security-erase", "security-set-pass")
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Auditbeat Winlogbeat (Sysmon)

Required Tables

logs-endpoint.events.process-* logs-system.syslog-* winlogbeat-*

False Positives

Legitimate firmware update operations performed by system administrators using vendor-approved tools (e.g., fwupdmgr update during scheduled maintenance windows)
Hard drive diagnostics and health checks run by IT support using hdparm with read-only flags on Linux servers
Network interface card firmware updates executed by NIC vendor utilities (e.g., ethtool during driver upgrade procedures)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command",
  "Parent Process",
  CASE
    WHEN LOWER("Process Name") MATCHES '(hdparm|flashrom|nvflash|fwupd|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|sdparm|atapwd|nls_933w)' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") MATCHES '(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("Command") MATCHES '(physicaldrive|\\\\device\\\\harddisk|/dev/sd[a-z]|/dev/nvme|/dev/hda|/dev/hdb)' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 433) -- Windows Sysmon, Windows Security, Linux Auth
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(hdparm|flashrom|nvflash|fwupd|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|sdparm|atapwd|nls_933w)'
    OR (
      LOWER("Command") MATCHES '(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)'
      AND LOWER("Command") MATCHES '(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|nvme|ethtool)'
    )
    OR LOWER("Command") MATCHES '(/dev/sd[a-z]|/dev/nvme[0-9]|/dev/hd[ab]|physicaldrive|\\\\device\\\\harddisk)'
  )
ORDER BY suspicion_score DESC, starttime DESC

critical severity medium confidence

Data Sources

QRadar Sysmon DSM QRadar Windows Security Event Log DSM QRadar Linux OS DSM

Required Tables

events

False Positives

Authorized firmware update deployments by IT teams using tools like fwupdmgr through enterprise patch management systems
Storage administrator diagnostic operations using hdparm or sg3_utils for disk health assessment without write flags
Hardware vendor support sessions involving firmware flashing of defective components under warranty replacement procedures

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*linux*syslog* OR _sourceCategory=*linux*audit*
| where EventCode = "1" or EventCode = "11" or sourcetype matches "*sysmon*"
| parse field=CommandLine "*" as cmd_full nodrop
| parse field=Image "*" as img_full nodrop
| parse field=process "*" as proc_full nodrop
| eval cmd_check = if(isNull(cmd_full), "", toLowerCase(cmd_full))
| eval img_check = if(isNull(img_full), "", toLowerCase(img_full))
| eval proc_check = if(isNull(proc_full), "", toLowerCase(proc_full))
| eval combined_img = concat(img_check, proc_check)
| eval IsFirmwareTool = if(
    combined_img matches "*(hdparm|flashrom|nvflash|fwupd|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)*",
    1, 0)
| eval IsWriteOperation = if(
    cmd_check matches "*(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)*",
    1, 0)
| eval IsRawDeviceAccess = if(
    cmd_check matches "*(/dev/sd|/dev/nvme|/dev/hda|/dev/hdb|physicaldrive|\\device\\harddisk|scsi#disk)*",
    1, 0)
| eval SuspicionScore = IsFirmwareTool + IsWriteOperation + IsRawDeviceAccess
| where SuspicionScore >= 1
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsFirmwareTool, IsWriteOperation, IsRawDeviceAccess, SuspicionScore
| sort by SuspicionScore desc, _time desc

critical severity medium confidence

Data Sources

Sumo Logic Sysmon Source Sumo Logic Linux Syslog Source Sumo Logic Auditd Source

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*linux*syslog*

False Positives

Enterprise endpoint management platforms executing BIOS/firmware updates via vendor-signed tools (Dell Command Update, HP BIOS Config Utility) during scheduled maintenance
Linux server administrators using hdparm with read-only flags (-I, -t) for disk benchmarking or health reporting purposes
Security researchers or penetration testers operating in authorized test environments running firmware analysis tooling

Google Chronicle / SecOps

yaral

rule t1542_002_component_firmware_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects component firmware modification attempts using known firmware utilities with write operations or raw device path access. Covers MITRE ATT&CK T1542.002."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1542.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmd
    $e.target.process.file.full_path = $img

    (
      // Firmware tool detected in process image path
      re.regex($img, `(?i)(hdparm|flashrom|nvflash|fwupdmgr|fwupd-tool|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)(\.exe)?$`) or

      // Firmware tool with write operation arguments
      (
        re.regex($img, `(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme|sdparm)`) and
        re.regex($cmd, `(?i)(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)`)
      ) or

      // Raw device path access with firmware tool
      (
        re.regex($img, `(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme|sdparm)`) and
        re.regex($cmd, `(?i)(/dev/sd[a-z]|/dev/nvme[0-9]|/dev/hd[ab]|\\\\.\\\\physicaldrive|\\\\.\\\\scsi|\\\\device\\\\harddisk)`)
      ) or

      // Explicit write flags on raw device paths (any process)
      (
        re.regex($cmd, `(?i)(--yes-i-know-what-i-am-doing|--write-sector|security-erase|security-set-pass)`) and
        re.regex($cmd, `(?i)(/dev/sd[a-z]|/dev/nvme|physicaldrive|\\\\device\\\\harddisk)`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM - Endpoint Detection Google Chronicle - Windows Event Forwarding Chronicle UDM - Linux Auditd

Required Tables

UDM events (PROCESS_LAUNCH)

False Positives

Legitimate firmware update workflows triggered by enterprise patch management solutions such as Microsoft Endpoint Configuration Manager or Ansible playbooks during maintenance windows
IT hardware technicians using sg3_utils or nvme-cli for NVMe drive health diagnostics without write operations on production endpoints
Embedded systems or IoT device management platforms using fwupdmgr or vendor-specific tools for approved firmware lifecycle management

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(hdparm|flashrom|nvflash|fwupdmgr|fwupd-tool|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)(\.exe)?$/
  OR (
    CommandLine = /(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme|sdparm)/
    AND CommandLine = /(?i)(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)/
  )
  OR (
    CommandLine = /(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme)/
    AND CommandLine = /(?i)(/dev/sd[a-z]|/dev/nvme[0-9]|/dev/hd[ab]|\\\.\\physicaldrive|\\\.\\scsi|\\device\\harddisk)/
  )
  OR (
    CommandLine = /(?i)(--yes-i-know-what-i-am-doing|security-erase|security-set-pass)/
    AND CommandLine = /(?i)(/dev/sd[a-z]|/dev/nvme|physicaldrive|\\device\\harddisk)/
  )
| eval IsFirmwareTool=if(match(ImageFileName, /(?i)(hdparm|flashrom|nvflash|fwupd|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)/), 1, 0)
| eval IsWriteOperation=if(match(CommandLine, /(?i)(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)/), 1, 0)
| eval IsRawDeviceAccess=if(match(CommandLine, /(?i)(physicaldrive|\\device\\harddisk|/dev/sd[a-z]|/dev/nvme|/dev/hd[ab])/), 1, 0)
| eval SuspicionScore=IsFirmwareTool + IsWriteOperation + IsRawDeviceAccess
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName], function=[count(aid, as=EventCount), max(SuspicionScore, as=MaxScore), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort MaxScore desc, LastSeen desc

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint - ProcessRollup2 CrowdStrike Falcon Insight XDR

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Authorized enterprise firmware update deployments pushed via Falcon Fusion workflows or third-party patch management tools during approved change windows
Storage administrators executing nvme-cli or hdparm read-only health checks (e.g., hdparm -I /dev/sda) for disk monitoring without write flags
Security tooling vendors or MDR platforms using sg3_utils or ethtool during hardware validation or incident response forensic procedures on authorized endpoints

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1542.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Component Firmware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections