Skip to content

T1542 Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.2

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Item Value
ID T1542
Sub-techniques T1542.001, T1542.002, T1542.003, T1542.004, T1542.005
Tactics TA0005, TA0003
Platforms Linux, Network, Windows, macOS
Version 1.1
Created 13 November 2019
Last Modified 19 April 2022


ID Mitigation Description
M1046 Boot Integrity Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. 3 4
M1026 Privileged Account Management Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions
M1051 Update Software Patch the BIOS and EFI as necessary.


ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Modification
DS0027 Driver Driver Metadata
DS0001 Firmware Firmware Modification
DS0029 Network Traffic Network Connection Creation
DS0009 Process OS API Execution