DET0790 Detection of Module Firmware

Technique Detected: T0839 (Module Firmware)

Analytics

ICS

AN1922

Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)

Log Sources

Mutable Elements