Unusual modification of boot records (MBR, VBR) or EFI partitions not associated with legitimate patch cycles or OS upgrades. Registry or WMI events associated with firmware update tools executed from unexpected parent processes. API calls (e.g., DeviceIoControl) writing directly to raw disk sectors. Subsequent abnormal boot configuration changes followed by unsigned driver loads.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Drive Access (DC0054) | WinEventLog:Sysmon | EventCode=9 |
| Field | Description |
|---|---|
| AllowedFirmwareUpdateTools | Legitimate vendor tools or processes authorized to modify firmware or boot records. |
| TimeWindow | Correlating boot-sector modification with subsequent reboot events. |
| EntropyThreshold | Heuristic threshold for detecting obfuscated/packed boot code. |
Detection of writes to /boot or EFI directories outside of expected package manager updates. Monitoring kernel log and auditd events for attempts to overwrite bootloader binaries (e.g., grub, shim). Unexpected execution of efibootmgr or dd writing to /dev/sdX devices followed by boot parameter changes.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write: Modification of /boot/grub/* or /boot/efi/* |
| Command Execution (DC0064) | auditd:EXECVE | exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions |
| Field | Description |
|---|---|
| PackageManagerUpdateWhitelist | Allowlist of legitimate grub/shim updates via apt, yum, or rpm. |
| FilesystemPaths | Directories (e.g., /boot/efi, /boot/grub) monitored for unauthorized modification. |
Abnormal modification of EFI firmware binaries in /System/Library/CoreServices/ or NVRAM parameters not associated with OS updates. Unified logs capturing calls to bless or nvram commands executed from untrusted parent processes. Sudden unsigned kext loads after EFI variable tampering.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of bless or nvram modifying boot parameters |
| File Modification (DC0061) | macos:unifiedlog | Modification of /System/Library/CoreServices/boot.efi |
| Field | Description |
|---|---|
| AllowedBootUtilities | Known Apple-signed processes responsible for firmware updates. |
| BootParamBaseline | Baseline set of allowed NVRAM boot parameters for anomaly detection. |
Unexpected firmware image uploads via TFTP/FTP/SCP. Configuration changes modifying boot image pointers. Logs showing boot variable redirection to non-standard images. Anomalous reboots immediately following firmware changes not tied to patch schedules.
| Data Component | Name | Channel |
|---|---|---|
| Firmware Modification (DC0004) | networkdevice:config | Boot variable modified to point to non-standard or unsigned image |
| Drive Modification (DC0046) | networkdevice:firmware | Unexpected firmware image upload events via TFTP/FTP/SCP |
| Field | Description |
|---|---|
| ApprovedFirmwareHashes | Known good firmware image hashes allowed for boot. |
| MaintenanceWindows | Timeframes during which firmware updates are expected. |