T1542 IBM QRadar · QRadar

Detect Pre-OS Boot in IBM QRadar

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1542 Pre-OS Boot
Canonical reference
https://attack.mitre.org/techniques/T1542/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  "sourceip",
  "devicehostname" AS hostname,
  "Command" AS process_command,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "File Path" AS file_path,
  CASE
    WHEN LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%' THEN 'FirmwareToolExecution'
    WHEN (LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%') THEN 'RawDiskAccess'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdedit\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue)%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bootrec\.exe%'
          AND LOWER("Command") SIMILAR TO '%(/fixmbr|/fixboot|/rebuildbcd|/scanos)%') THEN 'BootConfigModification'
    WHEN (LOWER("Process Name") SIMILAR TO '%bcdboot\.exe%'
          AND LOWER("Command") NOT SIMILAR TO '%/help%'
          AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%') THEN 'BootConfigModification'
    WHEN ("File Path" IS NOT NULL
          AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
          AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%') THEN 'BootFileWrite'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    /* Firmware tool execution */
    LOWER("Process Name") SIMILAR TO '%(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)%'
    OR LOWER("Command") SIMILAR TO '%(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)%'
    /* Raw disk access */
    OR (
      LOWER("Command") SIMILAR TO '%(physicaldrive|\.\\harddisk|\\device\\harddisk)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(services\.exe|wininit\.exe|smss\.exe)%'
    )
    /* Boot config modification */
    OR (
      LOWER("Process Name") SIMILAR TO '%(bcdedit\.exe|bootrec\.exe|bcdboot\.exe)%'
      AND LOWER("Command") SIMILAR TO '%(/set|/create|/delete|/import|/store|/deletevalue|/fixmbr|/fixboot|/rebuildbcd|/scanos)%'
      AND LOWER("Parent Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)%'
    )
    /* Boot file writes via Sysmon event 11 */
    OR (
      "File Path" IS NOT NULL
      AND LOWER("File Path") SIMILAR TO '%(\\efi\\|\\boot\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\bootmgr|ntldr)%'
      AND LOWER("Process Name") NOT SIMILAR TO '%(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)%'
    )
  )
ORDER BY starttime DESC
critical severity high confidence

AQL query detecting Pre-OS Boot (T1542) persistence mechanisms across QRadar event sources including firmware tool execution, raw disk handle access indicating MBR/VBR tampering, boot configuration changes via bcdedit/bootrec/bcdboot, and unauthorized EFI/bootloader file writes. Aggregates detections from Windows Security Event Log and Sysmon log sources.

Data Sources

Microsoft Windows Security Event LogSysmon via Windows Event ForwardingQRadar DSM for Windows

Required Tables

events

False Positives & Tuning

  • Authorized firmware update utilities deployed by IT teams through SCCM or Intune — these will show parent processes like svchost.exe or msiexec.exe and originate from trusted software distribution paths
  • Windows OS in-place upgrade or repair operations that legitimately rewrite bootloader components — event context will show TrustedInstaller or setuphost.exe as initiating process
  • Penetration test or red team exercises using CHIPSEC or RWEverything under authorized change control — correlate with approved change window tickets
Download portable Sigma rule (.yml)

Other platforms for T1542

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Boot Configuration Modification via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.

  2. Test 2MBR Read via Raw Disk Handle (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.

  3. Test 3MBR Sector Read via dd (Linux)

    Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.

  4. Test 4bootrec Scan for Windows Installations

    Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.003BootkitT1542.004ROMMONkitT1542.005TFTP BootT1014RootkitT1495Firmware CorruptionT1553.002Code SigningT1601Modify System ImageT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections