DET0150 Detection Strategy for File Creation or Modification of Boot Files

Item	Value
ID	DET0150
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1542.003 (Bootkit)

Analytics

Windows

AN0428

Detection of raw access to physical drives, modification of boot records (MBR/VBR), and suspicious file creation or alteration within the EFI System Partition (ESP). Correlates privileged process execution with low-level disk modification and unexpected driver or firmware interactions.

Log Sources

Data Component	Name	Channel
Drive Access (DC0054)	WinEventLog:Sysmon	EventCode=9
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
KnownGoodMBRHashes	Baseline hashes of clean MBR/VBR sectors for comparison
ESPFileWhitelist	Approved EFI executables within ESP directories
TimeWindow	Correlation window between privileged access, raw disk modification, and EFI file creation

Linux

AN0429

Detection of suspicious write operations to block devices, modifications of bootloader files (GRUB, initrd, vmlinuz), and unexpected changes within the EFI System Partition. Monitors privileged execution of utilities like dd, grub-install, or efibootmgr that modify boot sectors or loader entries.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	auditd:SYSCALL	open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts
Drive Modification (DC0046)	linux:syslog	Block device write errors or unusual bootloader activity

Mutable Elements

Field	Description
BootloaderHashBaseline	Baseline checksums of GRUB, kernel, and initramfs images
EFIFileAllowlist	Trusted EFI executables for Linux environments
AlertThresholds	Tunable thresholds for triggering alerts on repeated EFI/bootloader writes