Windows EFI Bootloader File Modification Detection

This detection identifies suspicious activity related to the modification of EFI bootloader files on Windows systems. The EFI bootloader files, specifically bootmgfw.efi and bootx64.efi located in the \EFI\Boot\ directory, are critical components responsible for initializing the Windows Boot Manager during system startup. Modification or replacement of these files is highly unusual under normal circumstances. Such activity may indicate an attacker’s attempt to install a bootkit, establish persistence for malicious code at the firmware level, or otherwise compromise the integrity of the system’s boot process. The referenced HybridPetya ransomware and CVE-2024-7344 highlight the real-world threat of bootloader modification for malicious purposes.

Attack Chain

1. Initial access is gained through an existing vulnerability or compromised account.
2. The attacker escalates privileges to obtain necessary permissions to modify system files.
3. The attacker locates the EFI bootloader files (bootmgfw.efi or bootx64.efi) in the \EFI\Boot\ directory.
4. The attacker modifies the bootloader file, potentially injecting malicious code or replacing it with a compromised version.
5. The system is rebooted, and the modified bootloader executes, initiating the malicious payload.
6. The malicious payload gains control early in the boot process, bypassing security measures.
7. The attacker achieves persistence, allowing them to maintain control over the system even after reboots.

Impact

Successful modification of the EFI bootloader can result in a complete compromise of the affected system. Attackers can use this technique to install persistent malware, bypass security measures, and potentially gain control over the entire network. This can lead to data theft, system disruption, and other malicious activities. While specific victim numbers are unavailable, the criticality of the boot process means any successful attack can have severe consequences.

Recommendation

• Enable Sysmon Event ID 11 logging to monitor file creation events and activate the provided Sigma rule.
• Deploy the Sigma rule Windows EFI Bootloader File Modification to your SIEM and tune it for your environment to detect bootloader modifications.
• Review the references provided, including the Bleeping Computer article and the ESET research on CVE-2024-7344, for additional context on bootloader attacks.
• Investigate any alerts generated by this rule immediately, as they could indicate a serious compromise.