T1542.002 Component Firmware
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
| Item | Value |
|---|---|
| ID | T1542.002 |
| Sub-techniques | T1542.001, T1542.002, T1542.003, T1542.004, T1542.005 |
| Tactics | TA0003, TA0005 |
| Platforms | Linux, Windows, macOS |
| Permissions required | SYSTEM |
| Version | 1.1 |
| Created | 19 December 2019 |
| Last Modified | 01 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0687 | Cyclops Blink | Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.4 |
| G0020 | Equation | Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1051 | Update Software | Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0027 | Driver | Driver Metadata |
| DS0001 | Firmware | Firmware Modification |
| DS0009 | Process | OS API Execution |
References
-
SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018. ↩
-
smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018. ↩
-
Pinola, M. (2014, December 14). 3 tools to check your hard drive’s health and make sure it’s not already dying on you. Retrieved October 2, 2018. ↩
-
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015. ↩