Skip to content

T1542.002 Component Firmware

Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.

Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

Item Value
ID T1542.002
Sub-techniques T1542.001, T1542.002, T1542.003, T1542.004, T1542.005
Tactics TA0003, TA0005
Platforms Linux, Windows, macOS
Permissions required SYSTEM
Version 1.1
Created 19 December 2019
Last Modified 01 April 2022

Procedure Examples

ID Name Description
S0687 Cyclops Blink Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.4
G0020 Equation Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.5


ID Mitigation Description
M1051 Update Software Perform regular firmware updates to mitigate risks of exploitation and/or abuse.


ID Data Source Data Component
DS0027 Driver Driver Metadata
DS0001 Firmware Firmware Modification
DS0009 Process OS API Execution