Detection of raw access to physical drives, modification of boot records (MBR/VBR), and suspicious file creation or alteration within the EFI System Partition (ESP). Correlates privileged process execution with low-level disk modification and unexpected driver or firmware interactions.
| Data Component | Name | Channel |
|---|---|---|
| Drive Access (DC0054) | WinEventLog:Sysmon | EventCode=9 |
| Volume Metadata (DC0100) | WinEventLog:Security | 4673, 4674 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| KnownGoodMBRHashes | Baseline hashes of clean MBR/VBR sectors for comparison |
| ESPFileWhitelist | Approved EFI executables within ESP directories |
| TimeWindow | Correlation window between privileged access, raw disk modification, and EFI file creation |
Detection of suspicious write operations to block devices, modifications of bootloader files (GRUB, initrd, vmlinuz), and unexpected changes within the EFI System Partition. Monitors privileged execution of utilities like dd, grub-install, or efibootmgr that modify boot sectors or loader entries.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts |
| Drive Modification (DC0046) | linux:syslog | Block device write errors or unusual bootloader activity |
| Field | Description |
|---|---|
| BootloaderHashBaseline | Baseline checksums of GRUB, kernel, and initramfs images |
| EFIFileAllowlist | Trusted EFI executables for Linux environments |
| AlertThresholds | Tunable thresholds for triggering alerts on repeated EFI/bootloader writes |