Detect Pre-OS Boot in Google Chronicle
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1542/
YARA-L Detection Query
rule pre_os_boot_persistence_t1542 {
meta:
author = "df00tech"
description = "Detects Pre-OS Boot persistence attempts (MITRE T1542) including firmware tool execution, raw disk handle access, boot configuration modification, and EFI/bootloader file writes"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1542"
mitre_attack_subtechniques = "T1542.001, T1542.002, T1542.003"
severity = "CRITICAL"
confidence = "HIGH"
created = "2026-04-20"
platforms = "Windows"
events:
// Branch 1: Known firmware manipulation tool execution
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e1.target.process.file.full_path, `(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)`)
or re.regex($e1.target.process.command_line, `(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)`)
)
)
or
// Branch 2: Raw disk handle access (MBR/VBR access)
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.target.process.command_line, `(?i)(physicaldrive|\\.\\harddisk|\\device\\harddisk)`)
and not re.regex($e1.target.process.file.full_path, `(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe`)
and not re.regex($e1.principal.process.file.full_path, `(?i)(services|wininit|smss)\.exe`)
)
or
// Branch 3: Boot configuration modification
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
(
re.regex($e1.target.process.file.full_path, `(?i)bcdedit\.exe`)
and re.regex($e1.target.process.command_line, `(?i)(/set|/create|/delete|/import|/store|/deletevalue)`)
and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
)
or (
re.regex($e1.target.process.file.full_path, `(?i)bootrec\.exe`)
and re.regex($e1.target.process.command_line, `(?i)(/fixmbr|/fixboot|/rebuildbcd|/scanos)`)
)
or (
re.regex($e1.target.process.file.full_path, `(?i)bcdboot\.exe`)
and not re.regex($e1.target.process.command_line, `(?i)/help`)
and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe`)
)
)
)
or
// Branch 4: EFI or bootloader file creation/modification
(
$e1.metadata.event_type = "FILE_CREATION"
and (
re.regex($e1.target.file.full_path, `(?i)(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr$|ntldr$)`)
)
and not re.regex($e1.principal.process.file.full_path, `(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|fwupdmgr|bootupd|wininit|svchost)\.exe`)
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting Pre-OS Boot persistence (MITRE T1542) through four behavioral branches: firmware manipulation tool execution (CHIPSEC, RWEverything, flashrom, AMIBCP), raw disk handle access indicating MBR/VBR manipulation, boot configuration modification via bcdedit/bootrec/bcdboot without legitimate parent processes, and unauthorized EFI/bootloader file creation. Uses UDM fields for process and file event correlation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate UEFI firmware updates deployed through OEM tools (Dell BIOSConnect, HP BIOS Flash, Lenovo Thin Installer) where the initiating process is a vendor-signed updater or Windows Update agent
- Windows Servicing operations during major OS updates (feature upgrades, cumulative updates with bootloader revisions) initiated by TrustedInstaller.exe or WaasMedicAgent.exe
- Enterprise imaging workflows using Microsoft Deployment Toolkit (MDT) or WDS where bcdedit and bcdboot are invoked by deployment framework parent processes during OS provisioning
Other platforms for T1542
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Boot Configuration Modification via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.
- Test 2MBR Read via Raw Disk Handle (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.
- Test 3MBR Sector Read via dd (Linux)
Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.
- Test 4bootrec Scan for Windows Installations
Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.
References (9)
- https://attack.mitre.org/techniques/T1542/
- https://en.wikipedia.org/wiki/Booting
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://github.com/chipsec/chipsec
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://uefi.org/specifications
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md
Unlock Pro Content
Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.