This anomaly-detection rule flags potential attempts to mount the EFI System Partition (ESP) on Windows endpoints using mountvol.exe. ESP is critical for boot components and can be abused to modify boot configuration (e.g., PKFail) or install boot-level footholds. Detection relies on EDR telemetry that exposes process details: the presence of mountvol.exe (or MOUNTVOL.EXE) with command-line switches that interact with the ESP, specifically -S or /S. The search looks for Windows processes where the process name or original_file_name matches mountvol.exe, and the command line contains the relevant ESP-mount switches. Data is ingested from Sysmon EventID 1, Windows Security event 4688, and CrowdStrike ProcessRollup2, mapped into the Endpoint Processes data model. The rule aggregates fields such as Processes.process, Processes.vendor_product, Processes.user_id, Processes.process_hash, and parent/child process relationships to provide context for investigation. When a match is found, the rule triggers an alert with a risk-based annotation (RBA) indicating a potential EFI volume mount attempt by a specific user via a specific process to a destination host. The rule includes drilldown searches to inspect per-user/destination results and last 7 days of related risk events. It also includes a safety note about legitimate maintenance tasks that may mount ESP and thus may generate false positives, advising contextual review. References discuss known techniques around UEFI boot modification (PKFail) that motivate this detection. MITRE ATT&CK mappings are included (e.g., T1204.002, T1542, T1688). In production, ensure logs from the specified data sources are ingested and CIM-normalized for accurate correlation across endpoints.