Bypass Record

Pre-OS Boot × Microsoft Windows (DSE)

A publicly-reported instance of Pre-OS Boot bypassing Microsoft Windows (DSE), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows (DSE)

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

High

Status

poc

Disclosed

2025-08-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-08-24 · original source · via exa

Reported as

patches Windows Driver Signature Enforcement (DSE) at boot to allow loading unsigned drivers

Mechanism

A UEFI bootkit that executes before Windows boot, manipulating the g_CiOptions variable to disable Driver Signature Enforcement (DSE). This allows loading of unsigned drivers, defeating a core OS integrity protection. The bootkit is written in pure assembly and is only 976 bytes.

Detection & mitigation

Monitor UEFI firmware integrity using hardware root of trust (e.g., TPM measurements, Secure Boot logs) and compare boot chain hashes against known-good values. Enable Secure Boot with custom policies to block unauthorized pre-boot code, and deploy firmware integrity monitoring tools to detect unauthorized modifications to UEFI variables or bootloaders.

Pre-OS Boot has also been recorded against

AMI Google Insyde Qualcomm Unisoc

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.