T1542.003 Bootkit Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let BootkitToolNames = dynamic(["dd.exe", "rawwrite.exe", "rawdisk.exe", "bootice.exe", "mbrfix.exe", "bcdedit.exe", "bootsect.exe", "diskpart.exe", "mbr2gpt.exe"]);
let RawDiskPaths = dynamic(["\\\\.\\PhysicalDrive", "\\Device\\Harddisk", "\\\\.\\PHYSICALDRIVE", "\\\\?\\PhysicalDrive"]);
let EFIFilePatterns = dynamic(["bootmgfw.efi", "bootmgr.efi", "grubx64.efi", "shimx64.efi", "mmx64.efi", "MokManager.efi", "bootx64.efi"]);
let LegitBootUpdaters = dynamic(["TrustedInstaller.exe", "TiWorker.exe", "wuauclt.exe", "svchost.exe", "MicrosoftEdgeUpdate.exe", "MsMpEng.exe", "SenseIR.exe"]);
// Arm 1: Raw disk write access via MDE telemetry
let RawDiskWrites = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "RawDiskWriteAccess"
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| extend DetectionSource = "RawDiskWriteAccess"
| project Timestamp, DeviceName, AccountName, ActionType, DetectionSource,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, InitiatingProcessAccountName;
// Arm 2: Process creation accessing physical drive paths or using boot manipulation tools
let BootManipulationProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has_any (RawDiskPaths)
    or FileName in~ (BootkitToolNames))
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| where not(FileName =~ "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume", "list partition", "select disk", "select volume"))
| extend DetectionSource = "BootManipulationProcess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSource;
// Arm 3: EFI System Partition file creation or modification by non-OS processes
let ESPModifications = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where (FolderPath has_any ("\\EFI\\", "\\Boot\\", "EFI System") or FileName has_any (EFIFilePatterns))
| where FileName endswith ".efi" or FileName in~ (EFIFilePatterns)
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| extend DetectionSource = "ESPModification"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSource;
union RawDiskWrites, BootManipulationProcesses, ESPModifications
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Drive: Drive Modification Drive: Drive Access Process: Process Creation File: File Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceProcessEvents DeviceFileEvents

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval isProcessCreate=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1, 1, 0)
| eval isFileCreate=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (11, 23), 1, 0)
| eval isRawAccess=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=9, 1, 0)
| eval isSecurity4688=if(sourcetype="WinEventLog:Security" AND EventCode=4688, 1, 0)
| eval CmdLower=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval ImageLower=lower(coalesce(Image, NewProcessName, ""))
| eval TargetFileLower=lower(coalesce(TargetFilename, ""))
| eval RawDiskAccess=if(match(CmdLower, "(\\\\\\.\\\\physicaldrive|\\\\device\\\\harddisk|\\.\\physicaldrive0)"), 1, 0)
| eval BootToolUsed=if(match(ImageLower, "(bootsect\.exe|mbrfix\.exe|bootice\.exe|rawwrite\.exe|mbr2gpt\.exe)") OR match(CmdLower, "(dd\.exe|bootice|mbrfix|rawwrite)"), 1, 0)
| eval DiskpartWrite=if(match(ImageLower, "diskpart\.exe") AND match(CmdLower, "(active|format|mbr|gpt|override)"), 1, 0)
| eval EFIFileWrite=if(isFileCreate=1 AND match(TargetFileLower, "(\\.efi$|\\\\efi\\\\|\\\\boot\\\\bootmgr|bootmgfw|grubx64|shimx64|bootx64)"), 1, 0)
| eval SysmonRawDisk=if(isRawAccess=1, 1, 0)
| eval SuspicionScore=RawDiskAccess + BootToolUsed + DiskpartWrite + EFIFileWrite + SysmonRawDisk
| where SuspicionScore > 0
| eval LegitUpdater=if(match(ImageLower, "(trustedinstaller|tiworker|wuauclt|msmpsvc|msmpeng|senseir)"), 1, 0)
| where LegitUpdater=0
| table _time, host, User, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, RawDiskAccess, BootToolUsed, DiskpartWrite, EFIFileWrite, SysmonRawDisk, SuspicionScore
| sort - SuspicionScore, - _time

critical severity medium confidence

Data Sources

Drive: Drive Access Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 9 Sysmon Event ID 11 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates
Disk management and partitioning tools during legitimate IT operations (cloning, imaging, provisioning)
Dual-boot configuration tools (bootice.exe, grub-install via WSL) during authorized multi-OS setup
Manufacturer firmware update utilities that access raw disk sectors to update BIOS/UEFI components
Disk diagnostic tools performing sector-level reads for health analysis

Elastic Security (EQL)

eql

any where
  (event.category == "driver" and event.type == "access" and
   process.name != null and
   not process.name : ("TrustedInstaller.exe","TiWorker.exe","wuauclt.exe","MsMpEng.exe")) or
  (event.category == "process" and event.type == "start" and
   (process.name : ("dd.exe","rawwrite.exe","bootice.exe","mbrfix.exe","bootsect.exe","mbr2gpt.exe") or
    process.command_line : ("*\\.\\PhysicalDrive*","*\\Device\\Harddisk*","*\\PHYSICALDRIVE*")) and
   not process.parent.name : ("TrustedInstaller.exe","TiWorker.exe","wuauclt.exe")) or
  (event.category == "file" and event.type in ("creation","change") and
   (file.name : ("*.efi","bootmgfw.efi","bootmgr.efi","grubx64.efi","shimx64.efi","bootx64.efi") or
    file.path : ("*\\EFI\\*","*\\Boot\\bootmgr*")) and
   not process.name : ("TrustedInstaller.exe","TiWorker.exe","wuauclt.exe"))

critical severity medium confidence

Data Sources

Endpoint Process Events Endpoint File Events Driver Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  "TargetFilename" as TargetFile,
  CASE WHEN "Image" ILIKE '%bootsect.exe%' OR "Image" ILIKE '%mbrfix.exe%'
            OR "Image" ILIKE '%bootice.exe%' THEN 10
       WHEN "CommandLine" ILIKE '%PhysicalDrive%' OR "CommandLine" ILIKE '%Harddisk%' THEN 9
       WHEN "TargetFilename" ILIKE '%.efi%' OR "TargetFilename" ILIKE '%\EFI\%' THEN 9
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid = 9) OR
  (eventid = 1 AND (
    LOWER("Image") LIKE '%bootsect.exe%' OR LOWER("Image") LIKE '%mbrfix.exe%' OR
    LOWER("Image") LIKE '%bootice.exe%' OR LOWER("Image") LIKE '%mbr2gpt.exe%' OR
    "CommandLine" ILIKE '%\\.\PhysicalDrive%' OR "CommandLine" ILIKE '%\Device\Harddisk%'))
  OR (eventid IN (11,23) AND (
    "TargetFilename" ILIKE '%.efi%' OR "TargetFilename" ILIKE '%\EFI\%' OR
    "TargetFilename" ILIKE '%\Boot\bootmgr%'))
)
AND LOWER(coalesce("Image","")) NOT LIKE '%trustedinstaller%'
AND LOWER(coalesce("Image","")) NOT LIKE '%tiworker%'
ORDER BY EventTime DESC

critical severity medium confidence

Data Sources

Windows Sysmon Event Log

Required Tables

events

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID in ("1","9","11","23")
| eval ImageLower = toLower(coalesce(Image,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval TargetLower = toLower(coalesce(TargetFilename,""))
| eval RawDisk = if(EventID == "9", 1, 0)
| eval BootTool = if(EventID == "1" AND (ImageLower matches "(bootsect|mbrfix|bootice|mbr2gpt)\.exe"
                   OR CmdLower matches "(\.\\physicaldrive|\\device\\harddisk)"), 1, 0)
| eval EFIWrite = if(EventID in ("11","23") AND (TargetLower matches "\.efi$"
                    OR TargetLower matches "\\efi\\" OR TargetLower matches "\\boot\\bootmgr"), 1, 0)
| eval SuspicionScore = RawDisk + BootTool + EFIWrite
| where SuspicionScore > 0
| where !ImageLower matches "(trustedinstaller|tiworker|wuauclt)"
| table _time, Computer, User, Image, CommandLine, TargetFilename, RawDisk, BootTool, EFIWrite, SuspicionScore
| sort by SuspicionScore desc

critical severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

Google Chronicle / SecOps

yaral

rule bootkit_installation {
  meta:
    author = "Detection Engineering"
    description = "Detects bootkit installation via raw disk access and EFI file modification (T1542.003)"
    severity = "CRITICAL"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(bootsect|mbrfix|bootice|mbr2gpt|rawwrite)\.exe`) nocase or
      re.regex($e.target.process.command_line, `(?i)(\\\.\\PhysicalDrive|\\Device\\Harddisk|PHYSICALDRIVE)`) nocase
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller|TiWorker|wuauclt)`) nocase

  condition:
    $e
}

critical severity medium confidence

Data Sources

Endpoint Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(bootsect|mbrfix|bootice|mbr2gpt|rawwrite)\.exe$/i
  OR CommandLine = /(\\.\PhysicalDrive|\Device\Harddisk|PHYSICALDRIVE)/i
| ImageFileName != /(TrustedInstaller|TiWorker|wuauclt)/i
| eval detection_type = case {
    ImageFileName = /(bootsect|mbrfix|bootice)/i : "boot_tool_execution";
    CommandLine = /PhysicalDrive/i : "raw_disk_access";
    * : "boot_manipulation"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

critical severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files

Bootkit

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections