| auditd:SYSCALL |
write access to /dev/mem or /sys/firmware/efi/efivars |
| auditd:SYSCALL |
ioctl/write: Direct firmware update or device memory manipulation syscalls |
| etw:Microsoft-Windows-Kernel-Storage |
Raw disk I/O operations bypassing NTFS APIs |
| Firmware |
None |
| firmware:integrity |
Baseline mismatch or unexpected EFI module detected during integrity checks |
| firmware:integrity |
Firmware integrity verification failures or mismatches against expected UEFI/firmware image baselines |
| firmware:runtime |
Debug or memory access commands indicating attempts to alter OS instructions in memory |
| firmware:smart |
Unexpected firmware-level errors or abnormal S.M.A.R.T. log entries |
| macos:osquery |
Unexpected changes in EFI or NVRAM variables controlling hardware boot state |
| macos:unifiedlog |
boot failure events or SMC validation errors |
| macos:unifiedlog |
Firmware update events or kernel extension (kext) loads not signed by Apple |
| networkdevice:config |
Boot image path or firmware configuration variable modified outside of maintenance windows |
| networkdevice:config |
Log entries indicating ROMMON image upgrade commands (boot system, upgrade rom-monitor) |
| networkdevice:config |
Boot variable modified to point to non-standard or unsigned image |
| networkdevice:firmware |
Firmware update initiated or bootloader tampering detected |
| networkdevice:syslog |
Image Upgrade / Configuration Change |
| networkdevice:syslog |
Custom firmware or routing changes |
| networkdevice:syslog |
Boot information log showing image loaded from TFTP server instead of local storage |
| WinEventLog:Microsoft-Windows-Kernel-Boot |
Firmware integrity validation failed or boot configuration tampered |