Windows EFI Volume Mount Attempt via Mountvol

This detection identifies attempts to mount the EFI volume on Windows systems using the mountvol.exe utility. The EFI system partition (ESP) is a special partition crucial for system booting. Unauthorized modification of the ESP can compromise system integrity, allowing attackers to modify the system on boot. This technique is associated with attacks like PKFail. The scope of this threat involves potential compromise of Windows systems and the ability to modify the boot process for malicious purposes, affecting system integrity and security. The detection leverages process monitoring to identify suspicious use of mountvol.exe.

Attack Chain

1. An attacker gains initial access to the system, potentially through social engineering or exploitation of a vulnerability.
2. The attacker executes mountvol.exe with the -S or /S parameter to mount the EFI volume.
3. The attacker gains write access to the EFI system partition.
4. The attacker modifies bootloaders or other EFI executables.
5. The attacker may install malicious drivers or backdoors into the EFI partition.
6. The system is rebooted, triggering the malicious code within the EFI partition.
7. The malicious code compromises the operating system during the boot process.
8. The attacker achieves persistence and control over the system.

Impact

Successful exploitation can lead to persistent malware installation, allowing attackers to maintain control over the compromised system even after reboots or OS reinstalls. The impact includes potential data theft, system corruption, and the ability to install rootkits that are difficult to detect. If successful, the attacker can gain complete control over the system.

Recommendation

• Deploy the Sigma rule Detect EFI Volume Mount via Mountvol to your SIEM and tune for your environment.
• Monitor process execution logs for instances of mountvol.exe being executed with the -S or /S parameters.
• Investigate any alerts generated by the Sigma rule, paying close attention to the parent processes and user accounts involved.
• Implement strict access controls on the EFI system partition to prevent unauthorized modifications.
• Regularly scan systems for signs of EFI-based rootkits or other malicious modifications.