T1542 Microsoft Sentinel · KQL

Detect Pre-OS Boot in Microsoft Sentinel

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1542 Pre-OS Boot
Canonical reference
https://attack.mitre.org/techniques/T1542/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let FirmwareToolNames = dynamic([
    "RWEverything.exe", "RWE.exe", "Rw.exe",
    "chipsec_main.exe", "chipsec.exe",
    "flashrom.exe",
    "afuwin64.exe", "afuwin32.exe", "afudos.exe",
    "WinFlash.exe", "biosflash.exe",
    "FPT.exe", "FPTW64.exe", "FPTW.exe",
    "H2OUVE-W-PEXE64.exe", "H2OFFT-W.exe", "H2OUVE.exe",
    "AMIBCP.exe", "AMIDEWin64.exe", "AMIDEWin.exe",
    "FWUpdateLocalApp.exe", "FirmwareUpdate.exe"
]);
let FirmwareKeywords = dynamic([
    "chipsec", "flashrom", "rweverything",
    "afuwin", "afudos", "biosflash", "winflash",
    "H2OUVE", "AMIBCP", "uefi-firmware",
    "fptw64", "MEManuf", "biosupdate", "uefiflash"
]);
let BootloaderFiles = dynamic([
    "bootmgfw.efi", "bootx64.efi", "grubx64.efi", "shimx64.efi",
    "bootmgr", "BOOTMGR", "winload.efi", "winload.exe", "ntldr", "NTLDR"
]);
let LegitBootParents = dynamic([
    "setup.exe", "setuphost.exe", "dism.exe", "TrustedInstaller.exe",
    "msiexec.exe", "wuauclt.exe", "sysprep.exe", "cleanmgr.exe",
    "fwupd", "fwupdmgr", "bootupd"
]);
// Sub-query 1: Known firmware manipulation tool execution
let FirmwareToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FirmwareToolNames)
    or ProcessCommandLine has_any (FirmwareKeywords)
| extend DetectionType = "FirmwareToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 2: Raw disk handle access (potential MBR/VBR read or write)
let RawDiskAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "\\\\.\\PhysicalDrive"
    or ProcessCommandLine has "\\\\.\\PHYSICALDRIVE"
    or ProcessCommandLine has "\\\\.\\Harddisk"
    or ProcessCommandLine has "\\Device\\Harddisk"
| where FileName !in~ ("defrag.exe", "chkdsk.exe", "diskpart.exe", "diskshadow.exe",
                        "vssadmin.exe", "wbadmin.exe", "ntbackup.exe",
                        "StorageD.exe", "StorageUsage.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "wininit.exe", "smss.exe")
| extend DetectionType = "RawDiskAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 3: Boot configuration modification via bcdedit/bootrec/bcdboot
let BootConfigMod = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "bcdedit.exe" and ProcessCommandLine has_any ("/set", "/create", "/delete", "/import", "/store", "/deletevalue"))
    or (FileName =~ "bootrec.exe" and ProcessCommandLine has_any ("/fixmbr", "/fixboot", "/rebuildbcd", "/scanos"))
    or (FileName =~ "bcdboot.exe" and ProcessCommandLine !has "/help")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("svchost.exe", "wininit.exe")
| extend DetectionType = "BootConfigModification"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Sub-query 4: Write or modification of critical boot/EFI files
let BootFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has "\\EFI\\"
    or FolderPath has "\\Boot\\"
    or FileName in~ (BootloaderFiles)
    or (FolderPath has "\\System32\\boot\\" and FileName endswith ".efi")
| where InitiatingProcessFileName !in~ (LegitBootParents)
    and InitiatingProcessFileName !in~ ("wininit.exe", "svchost.exe", "System")
| extend DetectionType = "BootFileWrite"
| extend AccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all sub-detections
union FirmwareToolExec, RawDiskAccess, BootConfigMod, BootFileWrite
| sort by Timestamp desc
critical severity medium confidence

Detects Pre-OS Boot persistence and defense evasion activity using Microsoft Defender for Endpoint tables. Combines four detection sub-queries: (1) execution of known firmware manipulation tools (CHIPSEC, RWEverything, flashrom, AMI BIOS tools, Intel FPT); (2) raw disk handle access to PhysicalDrive or Harddisk device paths by non-system processes, which could indicate MBR/VBR manipulation; (3) boot configuration modification via bcdedit, bootrec, or bcdboot by unexpected parent processes; and (4) file creation or modification in EFI partition or Boot directory paths including core bootloader binaries. All sub-queries filter known-legitimate update mechanisms such as Windows Update, DISM, and OEM firmware update services.

Data Sources

Process: Process CreationFile: File CreationFile: File ModificationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • OEM firmware update utilities shipped with laptops (Dell Command Update, HP BIOS Update, Lenovo System Update) that run scheduled BIOS/UEFI updates — typically launched by svchost.exe or a vendor service parent
  • Dual-boot system configuration tools that modify BCD entries (EasyBCD, rEFInd installer, Ubuntu grub-install during OS installation)
  • Enterprise endpoint management during OS deployment — DISM, setup.exe, and MDT/SCCM task sequences legitimately write to EFI and Boot paths
  • Security researchers and IT administrators running CHIPSEC or RWEverything for hardware auditing or vulnerability assessment with explicit authorization
  • Backup software (Acronis True Image, Macrium Reflect) that access raw disk handles for sector-level backup of the MBR and system partition
Download portable Sigma rule (.yml)

Other platforms for T1542

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Boot Configuration Modification via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.

  2. Test 2MBR Read via Raw Disk Handle (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.

  3. Test 3MBR Sector Read via dd (Linux)

    Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.

  4. Test 4bootrec Scan for Windows Installations

    Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1542.001System FirmwareT1542.002Component FirmwareT1542.003BootkitT1542.004ROMMONkitT1542.005TFTP BootT1014RootkitT1495Firmware CorruptionT1553.002Code SigningT1601Modify System ImageT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections