T1542.001 System Firmware
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. 1 2 3
System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
| Item | Value |
|---|---|
| ID | T1542.001 |
| Sub-techniques | T1542.001, T1542.002, T1542.003, T1542.004, T1542.005 |
| Tactics | TA0003, TA0005 |
| CAPEC ID | CAPEC-532 |
| Platforms | Windows |
| Permissions required | Administrator, SYSTEM |
| Version | 1.0 |
| Created | 19 December 2019 |
| Last Modified | 19 May 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0047 | Hacking Team UEFI Rootkit | Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.13 |
| S0397 | LoJax | LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.10 |
| S0001 | Trojan.Mebromi | Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal.12 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1046 | Boot Integrity | Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. 9 Move system’s root of trust to hardware to prevent tampering with the SPI flash memory.10 Technologies such as Intel Boot Guard can assist with this. 11 |
| M1026 | Privileged Account Management | Prevent adversary access to privileged accounts or access necessary to perform this technique. |
| M1051 | Update Software | Patch the BIOS and EFI as necessary. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0001 | Firmware | Firmware Modification |
References
-
Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017. ↩
-
UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016. ↩
-
Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016. ↩
-
Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. ↩
-
Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. ↩
-
Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. ↩
-
Intel Security. (2005, July 16). HackingTeam’s UEFI Rootkit Details. Retrieved March 20, 2017. ↩
-
Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016. ↩
-
ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. ↩↩
-
Intel. (2013). Intel Hardware-based Security Technologies for Intelligent Retail Devices. Retrieved May 19, 2020. ↩
-
Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014. ↩
-
Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015. ↩