Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0275: Analytic 0275

Unexpected write operations to BIOS/UEFI firmware regions or EFI boot partitions that do not correlate with legitimate vendor firmware updates. API calls or utilities such as fwupdate.exe or vendor flash tools executed from non-administrative or non-IT management accounts. Suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.

EnterpriseAN0275AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting suspicious changes to Windows BIOS/UEFI firmware areas or EFI boot partitions when those changes do not line up with an approved vendor firmware update. For leaders, the significance is that firmware and boot-level changes sit below normal operating system controls; if visibility or change governance is weak, an organization may struggle to prove system integrity after an incident or outage.

Executive priority

Prioritize this as an operational resilience and assurance question: can the organization distinguish authorized firmware maintenance from unexpected firmware or EFI partition modification on Windows systems? Security, IT operations, and audit stakeholders should verify that firmware update processes are controlled, attributable to administrative or IT management accounts, and supported by evidence. This is especially relevant where endpoint integrity, incident containment confidence, or compliance evidence depends on proving that boot and firmware layers have not been tampered with.

Technical view

For SOC, detection engineering, and IR teams, validate whether Windows telemetry can show write operations to BIOS/UEFI firmware regions, EFI boot partitions, raw disk writes to System Firmware GUID partitions, execution of fwupdate.exe or vendor flash utilities, the account context used, and reboot behavior following those actions. Because the ATT&CK object provides no separate detection logic and no tactic mapping, treat this as a validation target rather than a ready-to-deploy rule. Correlate firmware or EFI write activity with approved change windows, known vendor update tooling, IT management accounts, and endpoint reboot sequences.

Likely telemetry

  • Windows process execution telemetry for fwupdate.exe and vendor firmware flash utilities
  • Account and privilege context for firmware update or disk-write activity
  • Raw disk or partition write telemetry, where available
  • EFI boot partition and System Firmware GUID partition modification evidence
  • Endpoint reboot and shutdown event timing following suspected firmware or EFI changes

Detection direction

  • Baseline legitimate firmware update workflows, including expected tools, paths, parent processes, accounts, and maintenance windows.
  • Alert or hunt for firmware update utilities executed by non-administrative or non-IT management accounts, as described in the ATT&CK analytic.
  • Correlate suspected BIOS/UEFI or EFI partition writes with vendor update evidence before escalating, because legitimate firmware maintenance can resemble the same low-level behavior.
  • Look for suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.
  • Identify visibility gaps: many environments collect process logs but lack reliable raw disk, EFI partition, or firmware-region write telemetry.

Mitigation priorities

  • Define and enforce an approved firmware update process with documented tools, accounts, and change windows.
  • Restrict firmware update and raw disk write capability to authorized administrative or IT management workflows.
  • Maintain auditable records tying firmware update activity to approved change management.
  • Ensure endpoint monitoring and incident response procedures include collection of process, account, partition-write, and reboot evidence relevant to firmware or EFI changes.
  • Review Windows endpoint hardening and administrative privilege practices so non-IT accounts are not used for firmware maintenance.
Analyst notes and limits

This Glexia take is based on the supplied ATT&CK detection analytic AN0275. The object is Windows-specific and describes suspicious BIOS/UEFI firmware region or EFI boot partition write behavior, nonstandard use of fwupdate.exe or vendor flash tools, raw writes to System Firmware GUID partitions, and abnormal reboot sequences. No relationship context, tactic mapping, aliases, or official detection logic were supplied.

The supplied object is a detection analytic, not a full technique entry, and includes no official detection implementation, no related techniques, and no relationship context. Local environment data is required to determine what firmware tools are legitimate, which accounts are authorized, whether raw disk or EFI partition telemetry is collected, and what reboot patterns are normal.

Official MITRE ATT&CK definition

Analytic 0275

Unexpected write operations to BIOS/UEFI firmware regions or EFI boot partitions that do not correlate with legitimate vendor firmware updates. API calls or utilities such as fwupdate.exe or vendor flash tools executed from non-administrative or non-IT management accounts. Suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f69500545ec3733b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f69500545ec3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0275
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use