Detect Pre-OS Boot in CrowdStrike LogScale
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1542/
LogScale Detection Query
// Pre-OS Boot Persistence Detection (T1542)
// Branch 1: Firmware tool execution
#event_simpleName=ProcessRollup2
| FileName = /(?i)(rweverything|rwe\.exe|rw\.exe|chipsec_main|chipsec\.exe|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve-w-pexe64|h2offt-w|h2ouve\.exe|amibcp|amidewin64|amidewin\.exe|fwupdatelocalapp|firmwareupdate)/
OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|biosflash|winflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64|memanuf)/
| DetectionType := "FirmwareToolExecution"
// Branch 2: Raw disk handle access
| case {
#event_simpleName=ProcessRollup2
AND CommandLine = /(?i)(physicaldrive|\\.\\.\\harddisk|\\device\\harddisk)/
AND NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
AND NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
| DetectionType := "RawDiskAccess" ;
* | DetectionType := DetectionType
}
// Use a union approach — run both patterns
(
#event_simpleName=ProcessRollup2
| FileName = /(?i)(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)/
OR CommandLine = /(?i)(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64)/
| DetectionType := "FirmwareToolExecution"
)
OR (
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(physicaldrive|\.\\harddisk|\\device\\harddisk)/
| NOT FileName = /(?i)(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)\.exe/
| NOT ParentBaseFileName = /(?i)(services|wininit|smss)\.exe/
| DetectionType := "RawDiskAccess"
)
OR (
#event_simpleName=ProcessRollup2
| FileName = /(?i)bcdedit\.exe/
| CommandLine = /(?i)(\/set|\/create|\/delete|\/import|\/store|\/deletevalue)/
| NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
| DetectionType := "BootConfigModification_bcdedit"
)
OR (
#event_simpleName=ProcessRollup2
| FileName = /(?i)bootrec\.exe/
| CommandLine = /(?i)(\/fixmbr|\/fixboot|\/rebuildbcd|\/scanos)/
| DetectionType := "BootConfigModification_bootrec"
)
OR (
#event_simpleName=ProcessRollup2
| FileName = /(?i)bcdboot\.exe/
| NOT CommandLine = /(?i)\/help/
| NOT ParentBaseFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|svchost|wininit)\.exe/
| DetectionType := "BootConfigModification_bcdboot"
)
OR (
#event_simpleName=FileActionDone
| FilePath = /(?i)(\\efi\\|\\boot\\bcd)/
OR FileName = /(?i)(bootmgfw\.efi|bootx64\.efi|grubx64\.efi|shimx64\.efi|winload\.efi|bootmgr$|ntldr$)/
| NOT ImageFileName = /(?i)(setup|setuphost|dism|trustedinstaller|msiexec|wuauclt|sysprep|fwupd|bootupd|wininit|svchost)\.exe/
| DetectionType := "BootFileWrite"
)
| groupBy([ComputerName, FileName, CommandLine, ParentBaseFileName, DetectionType], function=[
count(aid, as=EventCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen),
collect(UserName, as=Users)
])
| sort(LastSeen, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting Pre-OS Boot persistence (MITRE T1542) using Falcon sensor events. Covers firmware manipulation tool execution via ProcessRollup2 events, raw disk handle access suggesting MBR/VBR tampering, boot configuration modification via bcdedit/bootrec/bcdboot without legitimate parents, and EFI/bootloader file writes via FileActionDone events. Results are grouped by host, process, and detection type with first/last seen timestamps.
Data Sources
Required Tables
False Positives & Tuning
- OEM firmware update utilities executed by the Falcon-monitored endpoint during a sanctioned patching window — correlate ComputerName against change management records and verify the initiating process is a vendor-signed binary from a trusted install path
- Microsoft Windows OS upgrade operations (in-place upgrade, feature update) that write to EFI/Boot paths — ParentBaseFileName will be TrustedInstaller.exe or setuphost.exe and the process chain will include Windows Update components
- System administrators using bcdedit.exe interactively during troubleshooting of boot failures — cross-reference with IT ticketing system and validate UserName is a privileged admin account in an approved maintenance window
Other platforms for T1542
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Boot Configuration Modification via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.
- Test 2MBR Read via Raw Disk Handle (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.
- Test 3MBR Sector Read via dd (Linux)
Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.
- Test 4bootrec Scan for Windows Installations
Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.
References (9)
- https://attack.mitre.org/techniques/T1542/
- https://en.wikipedia.org/wiki/Booting
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://github.com/chipsec/chipsec
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://uefi.org/specifications
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md
Unlock Pro Content
Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.