Detect Bootkit in CrowdStrike LogScale
Adversaries may use bootkits to persist on systems by modifying boot sectors or EFI System Partition (ESP) files, enabling malicious code to execute before the operating system loads. On BIOS systems, adversaries overwrite the Master Boot Record (MBR) or Volume Boot Record (VBR) to hijack the boot sequence. On UEFI systems, they create or modify files in the ESP (e.g., bootmgfw.efi, shimx64.efi) to run malicious kernel code. Notable real-world examples include WhisperGate (MBR overwrite with fake ransom note), BOOTRASH (VBR persistence), TrickBot's TrickBoot module (UEFI firmware implant), ROCKBOOT (MBR bootkit deployed by APT41), and BlackLotus (UEFI bootkit bypassing Secure Boot). Bootkits survive OS reinstallation and are extremely difficult to remediate without specialized tooling and hardware replacement in severe cases. Detection depends on identifying raw disk write operations, suspicious process access to physical drive paths, unauthorized ESP file modifications, and use of known firmware/boot manipulation utilities.
MITRE ATT&CK
- Tactic
- Persistence Defense Evasion
- Technique
- T1542 Pre-OS Boot
- Sub-technique
- T1542.003 Bootkit
- Canonical reference
- https://attack.mitre.org/techniques/T1542/003/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(bootsect|mbrfix|bootice|mbr2gpt|rawwrite)\.exe$/i
OR CommandLine = /(\\.\PhysicalDrive|\Device\Harddisk|PHYSICALDRIVE)/i
| ImageFileName != /(TrustedInstaller|TiWorker|wuauclt)/i
| eval detection_type = case {
ImageFileName = /(bootsect|mbrfix|bootice)/i : "boot_tool_execution";
CommandLine = /PhysicalDrive/i : "raw_disk_access";
* : "boot_manipulation"
}
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp descDetects bootkit installation via boot tool execution and raw disk access via CrowdStrike Falcon.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
- Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
- Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
- IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
- Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files
Other platforms for T1542.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MBR Sector Read via PowerShell Raw Disk Access (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0' and 'FileStream'. Sysmon Event ID 9 (RawAccessRead): Device=\Device\Harddisk0\DR0, Image=powershell.exe. MDE DeviceEvents: ActionType=RawDiskReadAccess, InitiatingProcessFileName=powershell.exe.
- Test 2EFI System Partition Enumeration via mountvol (Windows)
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'mountvol' and '/S'. Sysmon Event ID 1: Follow-on 'dir' command against X:\EFI\. Security Event ID 4688 for each process. File access events for EFI directory traversal in DeviceFileEvents.
- Test 3Simulate MBR Write with dd on Linux
Expected signal: Auditd EXECVE record for dd with args 'if=/dev/zero', 'of=/dev/null', 'bs=446', 'count=1'. Syslog process creation record. In environments with Falco or similar eBPF security tooling: open syscall for /dev/zero with write context.
- Test 4Suspicious bcdedit Enumeration for Bootkit Reconnaissance (Windows)
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe, then bcdedit.exe with CommandLine '/enum all' and '/enum firmware'. Sysmon Event ID 11: FileCreate for %TEMP%\bcd_enum.txt. Security Event ID 4688 for bcdedit.exe. DeviceProcessEvents: FileName=bcdedit.exe.
References (9)
- https://attack.mitre.org/techniques/T1542/003/
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/
- https://eclypsium.com/blog/trickbot-now-offers-trickboot-persist-brick-profit/
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542.003/T1542.003.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://docs.microsoft.com/en-us/windows/security/threat-protection/secure-boot/secure-boot-landing
Unlock Pro Content
Get the full detection package for T1542.003 including response playbook, investigation guide, and atomic red team tests.