title: Bootkit (T1542.003)
id: df00tech-t1542-003
status: experimental
description: "Adversaries may use bootkits to persist on systems by modifying boot sectors or EFI System Partition (ESP) files, enabling malicious code to execute before the operating system loads. On BIOS systems, adversaries overwrite the Master Boot Record (MBR) or Volume Boot Record (VBR) to hijack the boot sequence. On UEFI systems, they create or modify files in the ESP (e.g., bootmgfw.efi, shimx64.efi) to run malicious kernel code. Notable real-world examples include WhisperGate (MBR overwrite with fake ransom note), BOOTRASH (VBR persistence), TrickBot's TrickBoot module (UEFI firmware implant), ROCKBOOT (MBR bootkit deployed by APT41), and BlackLotus (UEFI bootkit bypassing Secure Boot). Bootkits survive OS reinstallation and are extremely difficult to remediate without specialized tooling and hardware replacement in severe cases. Detection depends on identifying raw disk write operations, suspicious process access to physical drive paths, unauthorized ESP file modifications, and use of known firmware/boot manipulation utilities."
references:
  - https://attack.mitre.org/techniques/T1542/003/
  - https://df00tech.com/detections/T1542.003
author: df00tech
date: 2026/03/12
tags:
  - attack.t1542.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Windows Update and OS upgrade processes (TrustedInstaller.exe, TiWorker.exe) legitimately modify EFI boot files during feature updates and cumulative updates"
  - "Third-party disk partitioning and management tools (Acronis, Macrium Reflect, AOMEI Partition Assistant) perform raw disk access during backup and cloning operations"
  - "Dual-boot setup utilities (grub-install, bootice.exe used legitimately) writing bootloader files to ESP during Linux installation alongside Windows"
  - "IT provisioning and imaging tools (MDT, WDS, Clonezilla, Ghost) that write raw disk images during OS deployment"
  - "Disk diagnostic and manufacturer firmware update utilities (Dell Command Update, HP BIOS Update, Lenovo Vantage) that access raw drive sectors or update EFI files"
level: critical