Detect Pre-OS Boot in Splunk
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1542/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| where EventCode IN (1, 11)
| eval proc_lower=lower(coalesce(Image, ""))
| eval cmd_lower=lower(coalesce(CommandLine, ""))
| eval parent_lower=lower(coalesce(ParentImage, ""))
| eval target_lower=lower(coalesce(TargetFilename, ""))
| eval FirmwareTool=if(EventCode=1 AND (
match(proc_lower, "(rweverything|rwe\.exe|chipsec|flashrom|afuwin|afudos|winflash|biosflash|fpt\.exe|fptw|h2ouve|amibcp|amidewin|fwupdatelocalapp|firmwareupdate)") OR
match(cmd_lower, "(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi.firmware|biosupdate|uefiflash)")
), 1, 0)
| eval RawDiskAccess=if(EventCode=1 AND
(match(cmd_lower, "physicaldrive") OR match(cmd_lower, "\\.\\harddisk") OR match(cmd_lower, "\\device\\harddisk")) AND
NOT match(proc_lower, "(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup)") AND
NOT match(parent_lower, "(services\.exe|wininit\.exe|smss\.exe)"), 1, 0)
| eval BootConfigMod=if(EventCode=1 AND (
(match(proc_lower, "bcdedit\.exe") AND match(cmd_lower, "(/set|/create|/delete|/import|/store|/deletevalue)")) OR
(match(proc_lower, "bootrec\.exe") AND match(cmd_lower, "(/fixmbr|/fixboot|/rebuildbcd|/scanos)")) OR
(match(proc_lower, "bcdboot\.exe") AND NOT match(cmd_lower, "/help"))
) AND NOT match(parent_lower, "(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe)"), 1, 0)
| eval BootFileWrite=if(EventCode=11 AND
(match(target_lower, "(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr$|ntldr)")) AND
NOT match(proc_lower, "(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe)"), 1, 0)
| eval SuspicionScore=FirmwareTool + RawDiskAccess + BootConfigMod + BootFileWrite
| where SuspicionScore > 0
| eval DetectionTypes=mvappend(
if(FirmwareTool=1, "FirmwareToolExecution", null()),
if(RawDiskAccess=1, "RawDiskAccess", null()),
if(BootConfigMod=1, "BootConfigModification", null()),
if(BootFileWrite=1, "BootFileWrite", null())
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, DetectionTypes, SuspicionScore
| sort - _timeDetects Pre-OS Boot persistence activity using Sysmon Event ID 1 (Process Creation) and Event ID 11 (File Creation). Evaluates four detection categories with a cumulative suspicion score: FirmwareToolExecution (known BIOS/UEFI manipulation tools), RawDiskAccess (processes accessing PhysicalDrive device paths), BootConfigModification (bcdedit/bootrec/bcdboot run by unexpected parents), and BootFileWrite (creation or modification of EFI partition or bootloader binaries). Excludes known-legitimate update paths including OEM firmware services, Windows Update components, and OS deployment tools. The SuspicionScore field enables alert prioritization — a score of 2 or higher warrants immediate investigation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- OEM firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) running scheduled BIOS updates — suppress by allowlisting known vendor EXE paths with system service parents
- Dual-boot configuration tools modifying BCD entries during initial OS setup or bootloader repair on developer workstations
- Enterprise OS deployment via SCCM, MDT, or WDS that writes bootloader files to EFI and Boot partitions — typically occurs only during provisioning windows
- Disk imaging and backup software (Acronis, Macrium, Veeam Agent) accessing raw disk handles for sector-level backups — allowlist by backup service account and process hash
- Security auditing tools run by authorized red team or vulnerability assessment teams — coordinate with security team to whitelist scheduled scan windows
Other platforms for T1542
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Boot Configuration Modification via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.
- Test 2MBR Read via Raw Disk Handle (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.
- Test 3MBR Sector Read via dd (Linux)
Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.
- Test 4bootrec Scan for Windows Installations
Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.
References (9)
- https://attack.mitre.org/techniques/T1542/
- https://en.wikipedia.org/wiki/Booting
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://github.com/chipsec/chipsec
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://uefi.org/specifications
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md
Unlock Pro Content
Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.