T1542 Elastic Security · Elastic

Detect Pre-OS Boot in Elastic Security

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1542 Pre-OS Boot
Canonical reference
https://attack.mitre.org/techniques/T1542/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where (
    /* Firmware tool execution */
    (
      event.category == "process" and event.type == "start" and
      (
        process.name in~ (
          "RWEverything.exe", "RWE.exe", "Rw.exe",
          "chipsec_main.exe", "chipsec.exe",
          "flashrom.exe",
          "afuwin64.exe", "afuwin32.exe", "afudos.exe",
          "WinFlash.exe", "biosflash.exe",
          "FPT.exe", "FPTW64.exe", "FPTW.exe",
          "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
          "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
          "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
        ) or
        process.args : ("*chipsec*", "*flashrom*", "*rweverything*", "*afuwin*", "*biosupdate*", "*uefiflash*", "*H2OUVE*", "*AMIBCP*")
      )
    ) or
    /* Raw disk handle access */
    (
      event.category == "process" and event.type == "start" and
      process.args : ("*\\\\.\\PhysicalDrive*", "*\\\\.\\PHYSICALDRIVE*", "*\\\\.\\Harddisk*", "*\\Device\\Harddisk*") and
      not process.name in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe", "vssadmin.exe", "wbadmin.exe", "ntbackup.exe") and
      not process.parent.name in~ ("services.exe", "wininit.exe", "smss.exe")
    ) or
    /* Boot configuration modification */
    (
      event.category == "process" and event.type == "start" and
      (
        (
          process.name =~ "bcdedit.exe" and
          process.args : ("/set", "/create", "/delete", "/import", "/store", "/deletevalue")
        ) or
        (
          process.name =~ "bootrec.exe" and
          process.args : ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos")
        ) or
        (
          process.name =~ "bcdboot.exe" and
          not process.args : "/help"
        )
      ) and
      not process.parent.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "svchost.exe", "wininit.exe"
      )
    ) or
    /* EFI/Boot file write */
    (
      event.category == "file" and
      event.type in ("creation", "change") and
      (
        file.path : ("*\\EFI\\*", "*\\Boot\\*") or
        file.name in~ (
          "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
          "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
        )
      ) and
      not process.name in~ (
        "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
        "msiexec.exe", "wuauclt.exe", "sysprep.exe", "fwupd", "fwupdmgr",
        "bootupd", "wininit.exe", "svchost.exe"
      )
    )
  )
] with runs=1
critical severity high confidence

Detects Pre-OS Boot persistence attempts (MITRE T1542) including firmware tool execution, raw disk handle access for MBR/VBR manipulation, boot configuration modification via bcdedit/bootrec/bcdboot, and unauthorized writes to EFI or bootloader files. Covers firmware implants, bootkits, and UEFI persistence. Uses Elastic EQL with ECS fields against Endpoint logs.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonAuditbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Legitimate BIOS/firmware updates from vendor-supplied tools such as Dell Command Update, HP Support Assistant, or Lenovo System Update — these typically run from %ProgramFiles% or vendor-specific paths and are initiated by the vendor update service
  • Windows Update or DISM operations modifying bootloader files during OS upgrades or in-place repairs — process parent will be TrustedInstaller.exe or WUAgent
  • Linux dual-boot systems running GRUB updates via package manager (grub-install, update-grub) which may trigger EFI directory file events
  • Security researchers or red team operators running authorized firmware assessment tools such as CHIPSEC in a controlled environment
  • bcdedit.exe invocations by enterprise imaging solutions (Symantec Ghost, Acronis, MDT) during OS deployment to configure boot entries
Download portable Sigma rule (.yml)

Other platforms for T1542

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Boot Configuration Modification via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.

  2. Test 2MBR Read via Raw Disk Handle (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.

  3. Test 3MBR Sector Read via dd (Linux)

    Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.

  4. Test 4bootrec Scan for Windows Installations

    Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.003BootkitT1542.004ROMMONkitT1542.005TFTP BootT1014RootkitT1495Firmware CorruptionT1553.002Code SigningT1601Modify System ImageT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections