Description
Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
Platforms
Mitigations (3)
Boot IntegrityM1046
Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET LoJax Sept 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel Hardware-based Security T
Update SoftwareM1051
Patch the BIOS and EFI as necessary.
Privileged Account ManagementM1026
Prevent adversary access to privileged accounts or access necessary to perform this technique.
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0397 | LoJax | Malware | [LoJax](https://attack.mitre.org/software/S0397) is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.(Citation:... |
| S0001 | Trojan.Mebromi | Malware | [Trojan.Mebromi](https://attack.mitre.org/software/S0001) performs BIOS modification and can download and execute a file as well as protect itself fro... |
| S0047 | Hacking Team UEFI Rootkit | Malware | [Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote ac... |
References
- UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
- Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.
- Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
Frequently Asked Questions
What is T1542.001 (System Firmware)?
T1542.001 is a MITRE ATT&CK technique named 'System Firmware'. It belongs to the Stealth, Persistence tactic(s). Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are exampl...
How can T1542.001 be detected?
Detection of T1542.001 (System Firmware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1542.001?
There are 3 documented mitigations for T1542.001. Key mitigations include: Boot Integrity, Update Software, Privileged Account Management.
Which threat groups use T1542.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.