some legitimate system or firmware update processes may create or modify files in the efi volume. review alerts carefully to distinguish between normal maintenance and suspicious activity.

t1490
t1542.001
endpoint
splunk

Techniques

T1490
T1542.001

Sample rules

Windows Suspicious File in EFI Volume

source: splunk
technicques:
- T1542.001
- T1490

Description

Detects data files in the EFI volume. This is sometimes indicative of an actor attempting to bypass secure boot through vulnerabilities such as CVE-2024-7344. These use vulnerable boot loaders to run malicious system firmware code.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path="*\\EFI\\Boot\\*"
Filesystem.file_path="*.dat"

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
   Filesystem.action Filesystem.user Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_file_in_efi_volume_filter`