M1046 Boot Integrity
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
| Item | Value |
|---|---|
| ID | M1046 |
| Version | 1.0 |
| Created | 11 June 2019 |
| Last Modified | 19 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1495 | Firmware Corruption | Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. |
| enterprise | T1601 | Modify System Image | Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. 1 |
| enterprise | T1601.001 | Patch System Image | Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. 1 |
| enterprise | T1601.002 | Downgrade System Image | Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. 1 |
| enterprise | T1542 | Pre-OS Boot | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. 2 3 |
| enterprise | T1542.001 | System Firmware | Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. 2 Move system’s root of trust to hardware to prevent tampering with the SPI flash memory.4 Technologies such as Intel Boot Guard can assist with this. 5 |
| enterprise | T1542.003 | Bootkit | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. 2 3 |
| enterprise | T1542.004 | ROMMONkit | Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. 1 |
| enterprise | T1542.005 | TFTP Boot | Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. 1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.006 | Code Signing Policy Modification | Use of Secure Boot may prevent some implementations of modification to code signing policies.6 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.003 | Compromise Hardware Supply Chain | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. 2 3 |
References
-
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020. ↩↩↩↩↩
-
Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016. ↩↩↩↩
-
Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020. ↩↩↩
-
ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. ↩
-
Intel. (2013). Intel Hardware-based Security Technologies for Intelligent Retail Devices. Retrieved May 19, 2020. ↩
-
Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. ↩