T1542.003 Microsoft Sentinel · KQL

Detect Bootkit in Microsoft Sentinel

Adversaries may use bootkits to persist on systems by modifying boot sectors or EFI System Partition (ESP) files, enabling malicious code to execute before the operating system loads. On BIOS systems, adversaries overwrite the Master Boot Record (MBR) or Volume Boot Record (VBR) to hijack the boot sequence. On UEFI systems, they create or modify files in the ESP (e.g., bootmgfw.efi, shimx64.efi) to run malicious kernel code. Notable real-world examples include WhisperGate (MBR overwrite with fake ransom note), BOOTRASH (VBR persistence), TrickBot's TrickBoot module (UEFI firmware implant), ROCKBOOT (MBR bootkit deployed by APT41), and BlackLotus (UEFI bootkit bypassing Secure Boot). Bootkits survive OS reinstallation and are extremely difficult to remediate without specialized tooling and hardware replacement in severe cases. Detection depends on identifying raw disk write operations, suspicious process access to physical drive paths, unauthorized ESP file modifications, and use of known firmware/boot manipulation utilities.

MITRE ATT&CK

Tactic
Persistence Defense Evasion
Technique
T1542 Pre-OS Boot
Sub-technique
T1542.003 Bootkit
Canonical reference
https://attack.mitre.org/techniques/T1542/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let BootkitToolNames = dynamic(["dd.exe", "rawwrite.exe", "rawdisk.exe", "bootice.exe", "mbrfix.exe", "bcdedit.exe", "bootsect.exe", "diskpart.exe", "mbr2gpt.exe"]);
let RawDiskPaths = dynamic(["\\\\.\\PhysicalDrive", "\\Device\\Harddisk", "\\\\.\\PHYSICALDRIVE", "\\\\?\\PhysicalDrive"]);
let EFIFilePatterns = dynamic(["bootmgfw.efi", "bootmgr.efi", "grubx64.efi", "shimx64.efi", "mmx64.efi", "MokManager.efi", "bootx64.efi"]);
let LegitBootUpdaters = dynamic(["TrustedInstaller.exe", "TiWorker.exe", "wuauclt.exe", "svchost.exe", "MicrosoftEdgeUpdate.exe", "MsMpEng.exe", "SenseIR.exe"]);
// Arm 1: Raw disk write access via MDE telemetry
let RawDiskWrites = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "RawDiskWriteAccess"
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| extend DetectionSource = "RawDiskWriteAccess"
| project Timestamp, DeviceName, AccountName, ActionType, DetectionSource,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, InitiatingProcessAccountName;
// Arm 2: Process creation accessing physical drive paths or using boot manipulation tools
let BootManipulationProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has_any (RawDiskPaths)
    or FileName in~ (BootkitToolNames))
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| where not(FileName =~ "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume", "list partition", "select disk", "select volume"))
| extend DetectionSource = "BootManipulationProcess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSource;
// Arm 3: EFI System Partition file creation or modification by non-OS processes
let ESPModifications = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where (FolderPath has_any ("\\EFI\\", "\\Boot\\", "EFI System") or FileName has_any (EFIFilePatterns))
| where FileName endswith ".efi" or FileName in~ (EFIFilePatterns)
| where not(InitiatingProcessFileName has_any (LegitBootUpdaters))
| extend DetectionSource = "ESPModification"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionSource;
union RawDiskWrites, BootManipulationProcesses, ESPModifications
| sort by Timestamp desc
critical severity medium confidence

Detects bootkit installation activity across three detection arms using Microsoft Defender for Endpoint telemetry. Arm 1 uses DeviceEvents RawDiskWriteAccess action type to catch direct physical disk writes that bypass the filesystem layer — the core primitive for MBR/VBR overwrite. Arm 2 monitors DeviceProcessEvents for processes using raw physical drive paths (e.g., \\.\PhysicalDrive0) or known boot manipulation utilities (dd.exe, bootice.exe, bootsect.exe, mbrfix.exe). Arm 3 monitors DeviceFileEvents for unauthorized creation or modification of EFI system partition files (.efi) by non-OS processes. Legitimate OS update processes (TrustedInstaller, TiWorker, wuauclt) are excluded to reduce noise from Windows Update boot file operations.

Data Sources

Drive: Drive ModificationDrive: Drive AccessProcess: Process CreationFile: File CreationFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceEventsDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates
  • Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations
  • Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows
  • IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment
  • Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files
Download portable Sigma rule (.yml)

Other platforms for T1542.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MBR Sector Read via PowerShell Raw Disk Access (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0' and 'FileStream'. Sysmon Event ID 9 (RawAccessRead): Device=\Device\Harddisk0\DR0, Image=powershell.exe. MDE DeviceEvents: ActionType=RawDiskReadAccess, InitiatingProcessFileName=powershell.exe.

  2. Test 2EFI System Partition Enumeration via mountvol (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'mountvol' and '/S'. Sysmon Event ID 1: Follow-on 'dir' command against X:\EFI\. Security Event ID 4688 for each process. File access events for EFI directory traversal in DeviceFileEvents.

  3. Test 3Simulate MBR Write with dd on Linux

    Expected signal: Auditd EXECVE record for dd with args 'if=/dev/zero', 'of=/dev/null', 'bs=446', 'count=1'. Syslog process creation record. In environments with Falco or similar eBPF security tooling: open syscall for /dev/zero with write context.

  4. Test 4Suspicious bcdedit Enumeration for Bootkit Reconnaissance (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe, then bcdedit.exe with CommandLine '/enum all' and '/enum firmware'. Sysmon Event ID 11: FileCreate for %TEMP%\bcd_enum.txt. Security Event ID 4688 for bcdedit.exe. DeviceProcessEvents: FileName=bcdedit.exe.

Last updated: 2026-03-12 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1542.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.004ROMMONkitT1542.005TFTP Boot

Related Techniques

T1542Pre-OS BootT1542.001System FirmwareT1542.002Component FirmwareT1055Process InjectionT1014RootkitT1561.002Disk Structure WipeT1027Obfuscated Files or InformationT1068Exploitation for Privilege EscalationT1078.002Domain AccountsT1485Data Destruction

Same Tactic: Persistence

Popular Detections