legitimate system updates or authorized it maintenance may modify efi bootloader files. review changes against approved maintenance windows and tools.

Techniques

T1542.003

Sample rules

Windows EFI Bootloader File Modification

source: splunk
technicques:
- T1542.003

Description

Detects where a process writes to critical EFI bootloader files (bootmgfw.efi or bootx64.efi) within the \EFI\Boot\ directory. These files are responsible for initializing the Windows Boot Manager during system startup. Modification or replacement of these files is highly unusual in normal operations and may indicate an attempt to install a bootkit, persist malicious code at the firmware level, or otherwise tamper with the system boot process.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path IN (
    "*\\EFI\\Boot\\bootmgfw.efi",
    "*\\EFI\\Boot\\bootx64.efi"
)

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
   Filesystem.user Filesystem.vendor_product Filesystem.action


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_efi_bootloader_file_modification_filter`