mounting the efi volume can be part of normal system updates or legitimate maintenance tasks. monitor for unusual timing or context to reduce false alerts.

Techniques

Sample rules

Windows EFI Volume Mount Attempt Via Mountvol

source: splunk
technicques:
- T1204.002
- T1542
- T1688

Description

Detects attempts to mount the EFI volume. The EFI system partition (ESP) is a special partition on a data storage device (usually a hard disk drive or solid-state drive) that computers adhering to the UEFI (Unified Extensible Firmware Interface) specification use to store data necessary for the system to boot, such as bootloaders, device drivers, and system utilities. This is used with attacks such as PKFail to modify the system on boot.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

(
    Processes.process_name="mountvol.exe"
    OR
    Processes.original_file_name="MOUNTVOL.EXE"
)
Processes.process IN ("*-S*", "* /S*")

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_efi_volume_mount_attempt_via_mountvol_filter`