Peacock: UEFI Firmware Runtime Observability Layer for Detection and Response

TL;DR

Peacock is a modular framework that enhances security by providing real-time, cryptographically protected monitoring and remote verification of UEFI firmware activities to detect sophisticated bootkits.

Contribution

It introduces a novel, integrity-assured monitoring system for UEFI firmware, enabling real-time detection and verification of firmware threats beyond traditional protections.

Findings

Successfully detects real-world UEFI bootkits like Glupteba and BlackLotus.

Provides cryptographically protected activity logs for firmware monitoring.

Enables enterprise-level threat detection through remote verification.

Abstract

Modern computing platforms rely on the Unified Extensible Firmware Interface (UEFI) to initialize hardware and coordinate the transition to the operating system. Because this execution environment operates with high privileges and persists across reboots, it has increasingly become a target for advanced threats, including bootkits documented in real systems. Existing protections, including Secure Boot and static signature verification, are insufficient against adversaries who exploit runtime behavior or manipulate firmware components after signature checks have completed. In contrast to operating system (OS) environments, where mature tools provide dynamic inspection and incident response, the pre-OS stage lacks practical mechanisms for real-time visibility and threat detection. We present Peacock, a modular framework that introduces integrity-assured monitoring and remote verification for the UEFI boot process. Peacock consists of three components: (i) a UEFI-based agent that records Boot and Runtime Service activity with cryptographic protection against tampering; (ii) a cross-platform OS Agent that extracts the recorded measurements and produces a verifiable attestation bundle using hardware-backed guarantees from the platform's trusted module; and (iii) a Peacock Server that verifies attestation results and exports structured telemetry for enterprise detection. Our evaluation shows that Peacock reliably detects multiple real-world UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor. Taken together, these results indicate that Peacock provides practical visibility and verification capabilities within the firmware layer, addressing threats that bypass traditional OS-level security mechanisms.