Unexpected write operations to BIOS/UEFI firmware regions or EFI boot partitions that do not correlate with legitimate vendor firmware updates. API calls or utilities such as fwupdate.exe or vendor flash tools executed from non-administrative or non-IT management accounts. Suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Drive Access (DC0054) | WinEventLog:Sysmon | EventCode=9 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| AllowedFirmwareUpdateTools | Legitimate vendor tools permitted to perform firmware flashing or BIOS updates. |
| TimeWindow | Expected time periods for approved firmware updates, used for correlating suspicious activity outside patch cycles. |
| KnownGoodFirmwareHashes | Baseline hashes of vendor BIOS/UEFI firmware for integrity comparison. |
Unauthorized firmware uploads to routers, switches, or firewalls via TFTP/FTP/SCP. Logs showing boot variable or startup image path changes redirecting to non-standard firmware images. Abnormal reboots or firmware rollback attempts following configuration modification events.
| Data Component | Name | Channel |
|---|---|---|
| Firmware Modification (DC0004) | networkdevice:config | Boot image path or firmware configuration variable modified outside of maintenance windows |
| Drive Modification (DC0046) | networkdevice:runtime | Firmware image uploaded via TFTP/FTP/SCP |
| Field | Description |
|---|---|
| ApprovedFirmwareHashes | Known good firmware image hashes stored for validation. |
| MaintenanceWindows | Expected time periods when firmware uploads or reboots are considered normal. |
| SourceIPWhitelist | List of trusted management IPs allowed to initiate firmware uploads. |