analyzing-uefi-bootkit-persistence

Installation
SKILL.md

Analyzing UEFI Bootkit Persistence

When to Use

  • A compromised system re-establishes C2 communication after OS reinstallation or disk replacement
  • Secure Boot has been tampered with, disabled, or shows unexpected Machine Owner Key (MOK) enrollment
  • Firmware integrity verification fails against vendor-provided baselines
  • Memory forensics reveals rootkit components loading during early boot phase
  • Investigating advanced persistent threat (APT) campaigns known to deploy UEFI implants
  • Auditing firmware security posture for enterprise endpoint hardening

Do not use for standard MBR-based bootkits on legacy BIOS systems without UEFI; use MBR/VBR bootkit analysis instead.

Prerequisites

Installs
125
GitHub Stars
24.2K
First Seen
Mar 28, 2026
analyzing-uefi-bootkit-persistence — mukul975/anthropic-cybersecurity-skills