This rule detects modifications to critical Windows EFI bootloader files located in the EFI\\Boot directory, specifically bootmgfw.efi and bootx64.efi. It relies on Windows endpoint telemetry via Sysmon EventID 11 (File Create/Write) to correlate the target EFI file path with the invoking process (process_path, process_id, process_guid), the user, creation time, and the file action. Unusual writes to these bootloader files are highly atypical outside of OS installation or sanctioned maintenance and may indicate bootkit deployment, firmware-level persistence, or tampering with the pre-OS boot sequence. When a modification is observed, the rule generates a risk signal associated with the destination path and flags the involved file path for investigation, enabling analysts to assess whether the change occurred during approved maintenance windows or as part of a legitimate update. The detection relies on endpoint telemetry mapped to the Endpoint data model and utilizes CIM-normalized fields for consistent querying. It aligns with MITRE ATT&CK technique T1542.003 (Pre-OS Boot). The rule supports drill-down investigations by user and destination, and highlights legitimate maintenance or software updates as common false positives to review in context of change windows and vendor tools.