Peacock: UEFI Firmware Runtime Observability Layer for Detection and Response
Hadar Cochavi Gorelik, Orel Fadlon, Denis Klimov, Oleg Brodt, Asaf Shabtai, Yuval Elovici
TL;DR
Peacock addresses the critical gap in firmware security by providing integrity-assured visibility and attestation for the UEFI pre-OS environment. It introduces a three-component architecture (UEFI Agent, OS Agent, and Analysis Server) that records Boot and Runtime Service activity, ties telemetry to hardware-backed TPM measurements, and remotely verifies and forwards structured telemetry to SIEM systems. The framework demonstrates detection of real-world bootkits (e.g., Glupteba, BlackLotus, LoJax, MosaicRegressor) through end-to-end instrumentation, attestation, and rule-based analysis, while evaluating performance and deployment considerations. Together, Peacock enables practical, scalable monitoring and detection of firmware-level threats that bypass OS-level defenses, with implications for enterprise security and forensics.
Abstract
Modern computing platforms rely on the Unified Extensible Firmware Interface (UEFI) to initialize hardware and coordinate the transition to the operating system. Because this execution environment operates with high privileges and persists across reboots, it has increasingly become a target for advanced threats, including bootkits documented in real systems. Existing protections, including Secure Boot and static signature verification, are insufficient against adversaries who exploit runtime behavior or manipulate firmware components after signature checks have completed. In contrast to operating system (OS) environments, where mature tools provide dynamic inspection and incident response, the pre-OS stage lacks practical mechanisms for real-time visibility and threat detection. We present Peacock, a modular framework that introduces integrity-assured monitoring and remote verification for the UEFI boot process. Peacock consists of three components: (i) a UEFI-based agent that records Boot and Runtime Service activity with cryptographic protection against tampering; (ii) a cross-platform OS Agent that extracts the recorded measurements and produces a verifiable attestation bundle using hardware-backed guarantees from the platform's trusted module; and (iii) a Peacock Server that verifies attestation results and exports structured telemetry for enterprise detection. Our evaluation shows that Peacock reliably detects multiple real-world UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor. Taken together, these results indicate that Peacock provides practical visibility and verification capabilities within the firmware layer, addressing threats that bypass traditional OS-level security mechanisms.
