| name | hunting-bootkits-in-efi-system-partition |
| description | Baseline the EFI System Partition and hunt malicious EFI binaries (ESPecter, BlackLotus, Bootkitty, Glupteba) by mounting the ESP, hashing and verifying boot loaders, scanning with YARA, and detecting anomalous non-EFI files. |
| domain | cybersecurity |
| subdomain | hardware-firmware-security |
| tags | ["bootkit","uefi","efi-system-partition","secure-boot","firmware-forensics","threat-hunting","yara","measured-boot"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["DE.CM-01"] |
| mitre_attack | ["T1542.003"] |
Hunting Bootkits in the EFI System Partition
Overview
The EFI System Partition (ESP) is a small FAT32-formatted partition that the platform firmware reads at power-on to locate and execute the operating system's boot loader. Because it executes before the operating system, kernel, and any EDR agent, the ESP is one of the most coveted persistence locations for advanced adversaries. UEFI bootkits that live on the ESP survive OS reinstallation, disk reformatting of the OS partition, and most endpoint defenses.
This skill follows the detection research published by Eclypsium ("Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot", and the Bootkitty and Glupteba analyses) and aligns with the ESP-hunting methodology Rapid7 documented for Velociraptor (Windows.Forensics.UEFI, Windows.Detection.Yara.UEFI). The threat context is concrete and current:
- ESPecter (ESET, 2021) — a UEFI bootkit that persists on the ESP as a patched Windows Boot Manager (
bootmgfw.efi) plus malicious kernel-mode drivers. It marked the move of UEFI threats from SPI flash to the ESP, where they are far easier to deploy.
- BlackLotus (2023) — the first in-the-wild UEFI bootkit able to bypass Secure Boot on fully patched Windows 11 by exploiting CVE-2022-21894 ("baton drop") and staging a vulnerable signed
bootmgfw.efi on the ESP.
- Bootkitty (2024) — the first UEFI bootkit targeting Linux, dropped onto the ESP.
- Glupteba — commodity malware whose UEFI variant replaces software on the EFI partition.
The core detection insight from Eclypsium and Rapid7 is that the bootloader normally changes only during a vendor or OS update; an out-of-band change to ESP binaries, an unsigned or untrusted-signed boot loader, or any file in the ESP root that is not under the EFI/ directory is a high-fidelity indicator of compromise. This skill builds that baseline and hunts deviations from it.
When to Use
- During proactive threat hunts for firmware/bootkit persistence (MITRE ATT&CK T1542.003 — Pre-OS Boot: Bootkit)
- After an incident where an adversary achieved SYSTEM/root and may have established below-OS persistence
- When validating Secure Boot posture across a fleet and confirming boot-chain integrity
- As a periodic integrity check, comparing the current ESP contents against a trusted golden baseline
- When triaging hosts that show measured-boot (TPM PCR) mismatches
Prerequisites
Objectives
- Mount and enumerate the ESP read-only without altering evidence
- Inventory every EFI binary and compute cryptographic hashes
- Verify Secure Boot signatures on each boot loader against trusted keys
- Compare contents against a golden baseline to surface out-of-band changes
- YARA-scan ESP binaries for known bootkit signatures
- Flag anomalies: files outside
EFI/, unsigned loaders, modified bootmgfw.efi/grubx64.efi, and tampered boot entries
- Confirm measured-boot (TPM PCR 0/2/4) integrity where TPM is present
MITRE ATT&CK Mapping
| ID | Name | Relevance |
|---|
| T1542.003 | Pre-OS Boot: Bootkit | Adversaries place malicious boot loaders on the ESP to execute before the OS and EDR, achieving stealthy, resilient persistence. This skill hunts exactly that artifact. |
Workflow
Step 1: Identify and mount the ESP read-only
The ESP is a FAT32 partition, usually flagged EF00 (GPT) or esp,boot. Locate it and mount read-only to preserve evidence.
sudo lsblk -o NAME,FSTYPE,PARTTYPENAME,MOUNTPOINT
sudo fdisk -l | grep -i "EFI System"
sudo mkdir -p /mnt/esp
sudo mount -o ro,umask=077 /dev/sda1 /mnt/esp
ls -la /mnt/esp
Step 2: Detect anomalous top-level entries (high-fidelity hunt)
Per Rapid7/Velociraptor guidance, the ESP root should contain only the EFI/ directory (and possibly a vendor System Volume Information). Anything else is suspicious.
find /mnt/esp -maxdepth 1 -mindepth 1 ! -name 'EFI' ! -iname 'System Volume Information'
find /mnt/esp -type f \( -iname '*.efi' -o -iname '*.sys' -o -iname '*.dll' \) -printf '%p\t%s bytes\t%TY-%Tm-%Td\n'
Step 3: Inventory and hash every EFI binary
Compute SHA-256 of all boot binaries for baseline comparison and threat-intel lookup.
find /mnt/esp -type f \( -iname '*.efi' -o -iname '*.sys' \) -print0 \
| xargs -0 sha256sum | tee /tmp/esp_hashes.txt
sha256sum /mnt/esp/EFI/Microsoft/Boot/bootmgfw.efi 2>/dev/null
sha256sum /mnt/esp/EFI/Boot/bootx64.efi 2>/dev/null
sha256sum /mnt/esp/EFI/*/grubx64.efi /mnt/esp/EFI/*/shimx64.efi 2>/dev/null
Submit unknown hashes to VirusTotal / the LOLDrivers and Binarly catalogs to identify known-vulnerable or malicious loaders (e.g., the BlackLotus-abused bootmgfw.efi builds).
Step 4: Verify Secure Boot signatures on each loader
A legitimate loader is signed by Microsoft UEFI CA (Windows/shim) or the distro vendor. Use sbverify to list/verify signatures and pesign for the certificate chain.
sbverify --list /mnt/esp/EFI/Microsoft/Boot/bootmgfw.efi
sudo efi-readvar -v db -o /tmp/db.esl
sbverify --cert /path/to/MicrosoftUEFICA.pem /mnt/esp/EFI/Boot/bootx64.efi
pesign -S -i /mnt/esp/EFI/Microsoft/Boot/bootmgfw.efi
An unsigned loader, a loader signed by an unexpected/self-signed certificate, or a known-vulnerable signed binary staged by an attacker (BlackLotus technique) is a confirmed finding.
Step 5: Compare against the golden baseline
Diff the live ESP hash inventory against a trusted baseline captured from a clean image of the same OS/vendor build.
awk '{print $1}' /tmp/esp_hashes.txt | sort > /tmp/live.sha256
sort baseline_esp_hashes.sha256 > /tmp/base.sha256
comm -23 /tmp/live.sha256 /tmp/base.sha256
Because the bootloader changes only during legitimate updates, any new hash that does not correspond to a known patch is an actionable lead.
Step 6: YARA-scan ESP binaries for bootkit signatures
Run YARA rules for known bootkits (ESPecter, BlackLotus, Bootkitty, CosmicStrand) across the ESP — the same approach as Velociraptor's Windows.Detection.Yara.UEFI.
yara -r -w bootkit_rules.yar /mnt/esp/
yara -r bootkit_rules.yar /mnt/esp/EFI/
Source rules from the YARA-Rules project, Eclypsium/Binarly publications, and ESET's bootkit reports.
Step 7: Inspect and validate UEFI boot entries
ESPecter-class bootkits manipulate the boot order/entries. Enumerate NVRAM boot variables and confirm each points to an expected, signed loader.
sudo efibootmgr -v
mokutil --sb-state
sudo efi-readvar -v dbx -o /tmp/dbx.esl
A boot entry referencing a file outside \EFI\ or a loader whose hash appears in dbx (revoked) but is still present indicates tampering.
Step 8: Validate measured boot against TPM PCRs (where available)
Measured boot records the boot-chain components into TPM PCRs (notably PCR 0, 2, 4). A bootkit that alters loaders changes these measurements.
sudo tpm2_pcrread sha256:0,2,4,7
sudo tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
Compare measured values against the host's known-good attestation baseline; an unexplained PCR 4 change correlates with a modified boot loader.
Step 9: Document findings and preserve evidence
sudo dd if=/dev/sda1 of=/evidence/esp_$(hostname)_$(date +%F).img bs=4M conv=noerror,sync
sha256sum /evidence/esp_*.img > /evidence/esp_image.sha256
sudo umount /mnt/esp
Record every anomalous binary (path, hash, signature status, baseline diff result, YARA match) in the case file before any cleanup.
Tools and Resources
Known Bootkit Indicators
| Bootkit | ESP Artifact / Behavior | Reference |
|---|
| ESPecter | Patched bootmgfw.efi + kernel drivers on ESP | ESET WeLiveSecurity 2021 |
| BlackLotus | Vulnerable signed bootmgfw.efi staged to bypass Secure Boot (CVE-2022-21894) | ESET 2023 |
| Bootkitty | Malicious EFI loader on ESP targeting Linux | ESET / Eclypsium 2024 |
| Glupteba (UEFI) | Replaces software on the EFI partition | Eclypsium |
| CosmicStrand | UEFI firmware implant hooking the boot chain | Eclypsium / Kaspersky |
Validation Criteria
