T1542 Pre-OS Boot
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.2
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
| Item | Value |
|---|---|
| ID | T1542 |
| Sub-techniques | T1542.001, T1542.002, T1542.003, T1542.004, T1542.005 |
| Tactics | TA0005, TA0003 |
| Platforms | Linux, Network, Windows, macOS |
| Version | 1.1 |
| Created | 13 November 2019 |
| Last Modified | 19 April 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1046 | Boot Integrity | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. 3 4 |
| M1026 | Privileged Account Management | Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions |
| M1051 | Update Software | Patch the BIOS and EFI as necessary. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0016 | Drive | Drive Modification |
| DS0027 | Driver | Driver Metadata |
| DS0001 | Firmware | Firmware Modification |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | OS API Execution |
References
-
Pinola, M. (2014, December 14). 3 tools to check your hard drive’s health and make sure it’s not already dying on you. Retrieved October 2, 2018. ↩
-
Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016. ↩
-
Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020. ↩