Detects bootkit malware in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects bootkit malware with signatures such as Bootkit/Win.WhisperGate.R465555. Therefore, alerts are extracted when the signature value begins with Bootkit/.

| search signature == "Bootkit/*"

Message

• AhnLab EPP V3 Bootkit Detected: Host $host_ip, Malware $signature

Field Order

• _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

• Bootkits are high-risk malware that interfere with the system boot process, gaining control at the earliest stage of system startup. Because they execute before the OS kernel, they can bypass security solutions and establish strong persistence.
• They may tamper with the boot record (MBR/EBR) or EFI partition to implement rootkit capabilities, load additional payloads, or install backdoors, potentially giving the attacker full control of the system.
• A bootkit detection indicates that the boot area may already be compromised, requiring immediate system isolation and in-depth analysis.

False Positives

• Certain low-level disk utilities or forensic tools may access the boot area and trigger detections due to abnormal patterns.

Response Actions

• Immediately isolate the suspected endpoint from the network and perform an integrity check on the boot record (MBR/EFI).
• Conduct a full disk scan and offline, deep malware analysis on the affected system.
• If boot area tampering is confirmed, reinstall the OS or restore from a trusted backup.
• Investigate the infection vector (e.g., vulnerability exploitation, malicious driver loading) and check for possible spread to other endpoints in the same network.

MITRE ATT&CK

• Tactic
  • Persistence, Privilege Escalation
• Technique
  • Name: Boot or Logon Autostart Execution
  • ID: T1547
  • Reference URL: https://attack.mitre.org/techniques/T1547/