T1542.003 Splunk · SPL

Detect Bootkit in Splunk

Adversaries may use bootkits to persist on systems by modifying boot sectors or EFI System Partition (ESP) files, enabling malicious code to execute before the operating system loads. On BIOS systems, adversaries overwrite the Master Boot Record (MBR) or Volume Boot Record (VBR) to hijack the boot sequence. On UEFI systems, they create or modify files in the ESP (e.g., bootmgfw.efi, shimx64.efi) to run malicious kernel code. Notable real-world examples include WhisperGate (MBR overwrite with fake ransom note), BOOTRASH (VBR persistence), TrickBot's TrickBoot module (UEFI firmware implant), ROCKBOOT (MBR bootkit deployed by APT41), and BlackLotus (UEFI bootkit bypassing Secure Boot). Bootkits survive OS reinstallation and are extremely difficult to remediate without specialized tooling and hardware replacement in severe cases. Detection depends on identifying raw disk write operations, suspicious process access to physical drive paths, unauthorized ESP file modifications, and use of known firmware/boot manipulation utilities.

MITRE ATT&CK

Tactic
Persistence Defense Evasion
Technique
T1542 Pre-OS Boot
Sub-technique
T1542.003 Bootkit
Canonical reference
https://attack.mitre.org/techniques/T1542/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval isProcessCreate=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1, 1, 0)
| eval isFileCreate=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (11, 23), 1, 0)
| eval isRawAccess=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=9, 1, 0)
| eval isSecurity4688=if(sourcetype="WinEventLog:Security" AND EventCode=4688, 1, 0)
| eval CmdLower=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval ImageLower=lower(coalesce(Image, NewProcessName, ""))
| eval TargetFileLower=lower(coalesce(TargetFilename, ""))
| eval RawDiskAccess=if(match(CmdLower, "(\\\\\\.\\\\physicaldrive|\\\\device\\\\harddisk|\\.\\physicaldrive0)"), 1, 0)
| eval BootToolUsed=if(match(ImageLower, "(bootsect\.exe|mbrfix\.exe|bootice\.exe|rawwrite\.exe|mbr2gpt\.exe)") OR match(CmdLower, "(dd\.exe|bootice|mbrfix|rawwrite)"), 1, 0)
| eval DiskpartWrite=if(match(ImageLower, "diskpart\.exe") AND match(CmdLower, "(active|format|mbr|gpt|override)"), 1, 0)
| eval EFIFileWrite=if(isFileCreate=1 AND match(TargetFileLower, "(\\.efi$|\\\\efi\\\\|\\\\boot\\\\bootmgr|bootmgfw|grubx64|shimx64|bootx64)"), 1, 0)
| eval SysmonRawDisk=if(isRawAccess=1, 1, 0)
| eval SuspicionScore=RawDiskAccess + BootToolUsed + DiskpartWrite + EFIFileWrite + SysmonRawDisk
| where SuspicionScore > 0
| eval LegitUpdater=if(match(ImageLower, "(trustedinstaller|tiworker|wuauclt|msmpsvc|msmpeng|senseir)"), 1, 0)
| where LegitUpdater=0
| table _time, host, User, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, RawDiskAccess, BootToolUsed, DiskpartWrite, EFIFileWrite, SysmonRawDisk, SuspicionScore
| sort - SuspicionScore, - _time
critical severity medium confidence

Detects bootkit installation activity using Sysmon and Windows Security event logs with a multi-signal suspicion scoring model. Monitors Sysmon EventCode 1 (Process Create) for boot manipulation tool execution and raw disk path access in command lines, EventCode 9 (RawAccessRead) for raw disk read operations that often precede writes, and EventCode 11 (FileCreate) for unauthorized .efi file creation in boot directories. Windows Security EventCode 4688 (Process Creation) provides coverage when Sysmon is absent. Scores across five signal categories with higher scores indicating higher confidence of malicious activity. Legitimate Windows Update processes are filtered post-scoring.

Data Sources

Drive: Drive AccessProcess: Process CreationFile: File CreationSysmon Event ID 1Sysmon Event ID 9Sysmon Event ID 11Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates
  • Disk management and partitioning tools during legitimate IT operations (cloning, imaging, provisioning)
  • Dual-boot configuration tools (bootice.exe, grub-install via WSL) during authorized multi-OS setup
  • Manufacturer firmware update utilities that access raw disk sectors to update BIOS/UEFI components
  • Disk diagnostic tools performing sector-level reads for health analysis
Download portable Sigma rule (.yml)

Other platforms for T1542.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MBR Sector Read via PowerShell Raw Disk Access (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0' and 'FileStream'. Sysmon Event ID 9 (RawAccessRead): Device=\Device\Harddisk0\DR0, Image=powershell.exe. MDE DeviceEvents: ActionType=RawDiskReadAccess, InitiatingProcessFileName=powershell.exe.

  2. Test 2EFI System Partition Enumeration via mountvol (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'mountvol' and '/S'. Sysmon Event ID 1: Follow-on 'dir' command against X:\EFI\. Security Event ID 4688 for each process. File access events for EFI directory traversal in DeviceFileEvents.

  3. Test 3Simulate MBR Write with dd on Linux

    Expected signal: Auditd EXECVE record for dd with args 'if=/dev/zero', 'of=/dev/null', 'bs=446', 'count=1'. Syslog process creation record. In environments with Falco or similar eBPF security tooling: open syscall for /dev/zero with write context.

  4. Test 4Suspicious bcdedit Enumeration for Bootkit Reconnaissance (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe, then bcdedit.exe with CommandLine '/enum all' and '/enum firmware'. Sysmon Event ID 11: FileCreate for %TEMP%\bcd_enum.txt. Security Event ID 4688 for bcdedit.exe. DeviceProcessEvents: FileName=bcdedit.exe.

Last updated: 2026-03-12 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1542.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1542Pre-OS Boot

Related Sub-techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.004ROMMONkitT1542.005TFTP Boot

Related Techniques

T1542Pre-OS BootT1542.001System FirmwareT1542.002Component FirmwareT1055Process InjectionT1014RootkitT1561.002Disk Structure WipeT1027Obfuscated Files or InformationT1068Exploitation for Privilege EscalationT1078.002Domain AccountsT1485Data Destruction

Same Tactic: Persistence

Popular Detections