Detect Pre-OS Boot in Sumo Logic CSE
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Technique
- T1542 Pre-OS Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1542/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<User>*</User>" as event_user nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize to lowercase for matching
| toLowerCase(process_image) as proc_lower
| toLowerCase(command_line) as cmd_lower
| toLowerCase(parent_image) as parent_lower
| toLowerCase(target_filename) as target_lower
// Detection branch 1: Firmware tool execution
| if (event_id = "1" AND (
matches(proc_lower, ".*(rweverything|rwe\.exe|chipsec|flashrom|afuwin64|afuwin32|afudos|winflash|biosflash|fpt\.exe|fptw64|fptw\.exe|h2ouve|h2offt|amibcp|amidewin|fwupdatelocalapp|firmwareupdate).*") OR
matches(cmd_lower, ".*(rweverything|chipsec|flashrom|afuwin|winflash|biosflash|h2ouve|amibcp|uefi-firmware|biosupdate|uefiflash|fptw64).*")
), 1, 0) as firmware_tool_exec
// Detection branch 2: Raw disk handle access
| if (event_id = "1" AND
(matches(cmd_lower, ".*(\\\\.\\\\physicaldrive|\\\\.\\\\harddisk|\\\\device\\\\harddisk).*")) AND
!matches(proc_lower, ".*(defrag|chkdsk|diskpart|diskshadow|vssadmin|wbadmin|ntbackup).*") AND
!matches(parent_lower, ".*(services\.exe|wininit\.exe|smss\.exe).*")
, 1, 0) as raw_disk_access
// Detection branch 3: Boot config modification
| if (event_id = "1" AND (
(matches(proc_lower, ".*bcdedit\.exe.*") AND matches(cmd_lower, ".*/set|/create|/delete|/import|/store|/deletevalue.*")) OR
(matches(proc_lower, ".*bootrec\.exe.*") AND matches(cmd_lower, ".*/fixmbr|/fixboot|/rebuildbcd|/scanos.*")) OR
(matches(proc_lower, ".*bcdboot\.exe.*") AND !matches(cmd_lower, ".*/help.*"))
) AND !matches(parent_lower, ".*(setup\.exe|dism\.exe|msiexec\.exe|trustedinstaller|sysprep\.exe|svchost\.exe|wininit\.exe).*")
, 1, 0) as boot_config_mod
// Detection branch 4: EFI/Boot file write
| if (event_id = "11" AND
(matches(target_lower, ".*(\\\\efi\\\\|\\\\boot\\\\bcd|bootmgfw\.efi|bootx64\.efi|winload\.efi|grubx64\.efi|shimx64\.efi|\\\\bootmgr|ntldr).*")) AND
!matches(proc_lower, ".*(setup\.exe|dism\.exe|trustedinstaller|msiexec\.exe|fwupd|bootupd|wininit\.exe).*")
, 1, 0) as boot_file_write
// Compute suspicion score
| num(firmware_tool_exec) + num(raw_disk_access) + num(boot_config_mod) + num(boot_file_write) as suspicion_score
| where suspicion_score > 0
// Build detection type list
| if(firmware_tool_exec=1, "FirmwareToolExecution", "") as d1
| if(raw_disk_access=1, "RawDiskAccess", "") as d2
| if(boot_config_mod=1, "BootConfigModification", "") as d3
| if(boot_file_write=1, "BootFileWrite", "") as d4
| concat(d1, if(d1!="" AND (d2!="" OR d3!="" OR d4!=""), ",", ""), d2, if(d2!="" AND (d3!="" OR d4!=""), ",", ""), d3, if(d3!="" AND d4!="", ",", ""), d4) as detection_types
| fields hostname, event_user, proc_lower, cmd_lower, parent_lower, target_lower, detection_types, suspicion_score
| sort by _messageTime descSumo Logic CSE query detecting Pre-OS Boot persistence (MITRE T1542) via Sysmon event parsing. Identifies firmware manipulation tools, raw disk handle access for MBR/VBR modification, boot configuration changes, and unauthorized writes to EFI/bootloader files. Computes a composite suspicion score and classifies detections by type.
Data Sources
Required Tables
False Positives & Tuning
- Vendor firmware update tools executed via enterprise management software (SCCM, Intune, Tanium) — these will appear with parent processes such as CcmExec.exe or msiexec.exe originating from managed software distribution paths
- bcdedit.exe invocations during Windows Autopilot or MDT deployment sequences where the parent is setuphost.exe or a deployment framework agent
- Dual-boot Linux systems running update-grub or grub-install during kernel updates, which generates EFI directory file writes under legitimate package manager parent processes
Other platforms for T1542
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Boot Configuration Modification via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} description'. Security Event ID 4688 (if command line auditing enabled). The DetectionType=BootConfigModification alert fires if the parent process is not in the LegitBootParents allowlist.
- Test 2MBR Read via Raw Disk Handle (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '\\.\PhysicalDrive0'. Sysmon Event ID 11: FileCreate for the temp file argus_mbr_test.bin. The '\\.\PhysicalDrive' pattern in the command line triggers the RawDiskAccess detection.
- Test 3MBR Sector Read via dd (Linux)
Expected signal: Linux auditd: syscall execve for /bin/dd with argument if=/dev/sda. Sysmon for Linux Event ID 1: Process Create with CommandLine containing 'if=/dev/sda'. Auditd rule 'auditctl -a always,exit -F arch=b64 -S open -F path=/dev/sda -k mbr_access' would generate additional OPEN syscall events for /dev/sda.
- Test 4bootrec Scan for Windows Installations
Expected signal: Sysmon Event ID 1: Process Create with Image=bootrec.exe, CommandLine containing '/scanos'. Security Event ID 4688 (if command line auditing enabled). The parent process (cmd.exe or powershell.exe) is the key indicator — bootrec invoked from user shells rather than from winre.exe or RecoveryEnvironment is anomalous.
References (9)
- https://attack.mitre.org/techniques/T1542/
- https://en.wikipedia.org/wiki/Booting
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
- https://github.com/chipsec/chipsec
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://uefi.org/specifications
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md
Unlock Pro Content
Get the full detection package for T1542 including response playbook, investigation guide, and atomic red team tests.