Tag
high
advisory
Windows EFI Bootloader File Modification Detection
2 rules 1 TTP 1 CVEA process writing to critical EFI bootloader files (bootmgfw.efi or bootx64.efi) within the \EFI\Boot\ directory may indicate a bootkit installation, malicious code persistence at the firmware level, or tampering with the system boot process.
Splunk Enterprise +2
bootkit
persistence
efi
bootloader
windows
2r
1t
1c
high
advisory
Windows EFI Volume Mount Attempt via Mountvol
2 rules 3 TTPsDetection of attempts to mount the EFI volume on Windows systems using mountvol.exe, potentially leading to system compromise.
Splunk Enterprise +2
efi
mountvol
windows
persistence
defense-evasion
2r
3t