Detection of anomalous driver and firmware interactions, including unsigned or unexpected firmware updates, driver loads linked to hardware components, and suspicious use of privileged APIs to read/write firmware or controller memory.
| Data Component | Name | Channel |
|---|---|---|
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Firmware Modification (DC0004) | firmware:integrity | Firmware integrity verification failures or mismatches against expected UEFI/firmware image baselines |
| Field | Description |
|---|---|
| KnownGoodFirmwareHashes | Environment-specific list of baseline firmware images for integrity comparison |
| DriverAllowList | Drivers approved for loading in production environments |
| TimeWindow | Correlation period between firmware modification attempt and abnormal driver or process behavior |
Detection of suspicious use of ioctl/sysfs calls to access device firmware, unexpected flashing tools execution, and anomalous firmware checksums logged by SMART or kernel audit mechanisms.
| Data Component | Name | Channel |
|---|---|---|
| Firmware Modification (DC0004) | auditd:SYSCALL | ioctl/write: Direct firmware update or device memory manipulation syscalls |
| Driver Load (DC0079) | linux:syslog | Driver load events or firmware load failures for hardware devices |
| Field | Description |
|---|---|
| FirmwareImageBaseline | Baseline firmware checksums for comparison |
| AlertThresholds | Tolerance levels for SMART errors before triggering alerts |
Detection of EFI/firmware manipulation attempts via abnormal driver loads, unsigned kexts, or tampered NVRAM variables associated with component firmware configuration.
| Data Component | Name | Channel |
|---|---|---|
| Firmware Modification (DC0004) | macos:unifiedlog | Firmware update events or kernel extension (kext) loads not signed by Apple |
| Field | Description |
|---|---|
| ApprovedKextList | List of trusted and signed kexts permitted in production systems |
| EFIHashBaseline | Known-clean EFI image hashes used for verification |