Bypass Record

Pre-OS Boot × Microsoft Windows 10 22H2 (19045.2965)

A publicly-reported instance of Pre-OS Boot bypassing Microsoft Windows 10 22H2 (19045.2965), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows 10 22H2 (19045.2965)

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

High

Status

poc

Disclosed

2024-07-17

Config / version noted

Yes

Provenance

github.com
disclosed 2024-07-17 · original source · via exa

Reported as

bypass Secure Boot via Windows Bootloader DLL Sideloading

Mechanism

The Windows bootloader (winload.efi) loads mcupdate_.dll without signature verification when Driver Signature Enforcement is disabled. The PoC replaces this DLL with a malicious one that remaps itself over the bootloader, gaining execution before ExitBootServices(). This defeats Secure Boot by running unsigned code in the firmware context.

Detection & mitigation

Monitor for unexpected modifications to boot-critical files such as mcupdate_.dll in the EFI system partition or %SystemRoot%\System32. Enforce Secure Boot and Driver Signature Enforcement via Group Policy, and use integrity monitoring tools to alert on unauthorized changes to bootloader components.

Pre-OS Boot has also been recorded against

AMI Google Insyde Qualcomm Unisoc

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.