Detect Component Firmware in CrowdStrike LogScale
Adversaries may modify component firmware to persist on systems. Some adversaries employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware (T1542.001) but conducted upon other system components such as hard drives, network interface cards, and other peripheral devices that may not have the same level of integrity checking. Malicious component firmware provides persistent access that survives disk reimaging, OS reinstallation, and most host-based defenses. Notable examples include the Equation Group's capability to overwrite hard drive firmware across multiple manufacturers (Seagate, Western Digital, Toshiba) and Cyclops Blink's persistent firmware patching of WatchGuard network devices.
MITRE ATT&CK
- Tactic
- Persistence Defense Evasion
- Technique
- T1542 Pre-OS Boot
- Sub-technique
- T1542.002 Component Firmware
- Canonical reference
- https://attack.mitre.org/techniques/T1542/002/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(hdparm|flashrom|nvflash|fwupdmgr|fwupd-tool|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)(\.exe)?$/
OR (
CommandLine = /(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme|sdparm)/
AND CommandLine = /(?i)(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)/
)
OR (
CommandLine = /(?i)(hdparm|flashrom|nvflash|fwupd|sg_write_buffer|ethtool|nvme)/
AND CommandLine = /(?i)(/dev/sd[a-z]|/dev/nvme[0-9]|/dev/hd[ab]|\\\.\\physicaldrive|\\\.\\scsi|\\device\\harddisk)/
)
OR (
CommandLine = /(?i)(--yes-i-know-what-i-am-doing|security-erase|security-set-pass)/
AND CommandLine = /(?i)(/dev/sd[a-z]|/dev/nvme|physicaldrive|\\device\\harddisk)/
)
| eval IsFirmwareTool=if(match(ImageFileName, /(?i)(hdparm|flashrom|nvflash|fwupd|afuwin|afudos|amiflash|awdflash|mflash|ethtool|sg_write_buffer|sg3_utils|nvme|sdparm|atapwd|nls_933w)/), 1, 0)
| eval IsWriteOperation=if(match(CommandLine, /(?i)(--write-sector|--yes-i-know-what-i-am-doing|security-set-pass|security-unlock|security-erase|security-disable|--flash|writedmabuf|--fwdl|--fw-download|download_fw)/), 1, 0)
| eval IsRawDeviceAccess=if(match(CommandLine, /(?i)(physicaldrive|\\device\\harddisk|/dev/sd[a-z]|/dev/nvme|/dev/hd[ab])/), 1, 0)
| eval SuspicionScore=IsFirmwareTool + IsWriteOperation + IsRawDeviceAccess
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName], function=[count(aid, as=EventCount), max(SuspicionScore, as=MaxScore), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort MaxScore desc, LastSeen descCrowdStrike LogScale (CQL) query detecting component firmware modification via ProcessRollup2 events. Matches known firmware utilities (hdparm, flashrom, nvflash, fwupdmgr, ethtool, etc.) executing with write operation arguments or raw device path access, with suspicion scoring for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Authorized enterprise firmware update deployments pushed via Falcon Fusion workflows or third-party patch management tools during approved change windows
- Storage administrators executing nvme-cli or hdparm read-only health checks (e.g., hdparm -I /dev/sda) for disk monitoring without write flags
- Security tooling vendors or MDR platforms using sg3_utils or ethtool during hardware validation or incident response forensic procedures on authorized endpoints
Other platforms for T1542.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hard Drive Firmware Version Enumeration via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'Win32_DiskDrive' and 'FirmwareRevision'. Security Event ID 4688 if command line auditing is enabled. WMI Activity Event ID 5860 in Microsoft-Windows-WMI-Activity/Operational log showing WMI query execution.
- Test 2ATA Disk Identity Read with hdparm (Linux)
Expected signal: Linux auditd syscall record: type=EXECVE msg=audit(...): argc=3 a0='hdparm' a1='-I' a2='/dev/sda'. Syslog entry for sudo privilege escalation. If Sysmon for Linux is deployed, Event ID 1 (Process Create) with Image=/sbin/hdparm and CommandLine containing '/dev/sda'.
- Test 3NVMe Drive Firmware Slot Information Read (Linux)
Expected signal: Linux auditd execve syscall records for nvme with arguments 'fw-log /dev/nvme0' and 'id-ctrl /dev/nvme0'. Syslog sudo authentication entries. Process creation event with raw NVMe device path in command arguments.
- Test 4Firmware Image Staging File Creation
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe. Sysmon Event ID 11: File Create with TargetFilename matching *\Temp\hdd_fw_update.bin with .bin extension. The file-based hunting query for .bin/.rom/.fw creation in non-standard directories will match with InitiatingProcessFileName=powershell.exe.
References (7)
- https://attack.mitre.org/techniques/T1542/002/
- https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html
- https://www.smartmontools.org/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
- https://linux.die.net/man/8/hdparm
- https://nvmexpress.org/resources/nvme-command-line-interface/
Unlock Pro Content
Get the full detection package for T1542.002 including response playbook, investigation guide, and atomic red team tests.