Description
Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity)
Platforms
Mitigations (2)
Boot IntegrityM1046
Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised.(Citation: TCG Trusted Platform Module)(Citation: TechNet Secure Boot Process)
Privileged Account ManagementM1026
Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence ... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the ... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has deployed a bootkit along with [Downdelph](https://attack.mitre.org/software/S0134) to ensure its pe... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has installed a bootkit on the system to maintain persistence.(Citation: ESET Carberp March 2012) |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) overwrites the MBR with a bootloader component that performs destructive wiping operations on h... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can implant malicious code into a compromised device's firmware.(Citation: Eclypsium Trickboot Dec... |
| S0112 | ROCKBOOT | Malware | [ROCKBOOT](https://attack.mitre.org/software/S0112) is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence.(Citation: FireEy... |
| S0114 | BOOTRASH | Malware | [BOOTRASH](https://attack.mitre.org/software/S0114) is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.(Citation: Mandian... |
| S0182 | FinFisher | Malware | Some [FinFisher](https://attack.mitre.org/software/S0182) variants incorporate an MBR rootkit.(Citation: FinFisher Citation)(Citation: Microsoft FinFi... |
References
- Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.
- Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.
- Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025.
- Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025.
Frequently Asked Questions
What is T1542.003 (Bootkit)?
T1542.003 is a MITRE ATT&CK technique named 'Bootkit'. It belongs to the Stealth, Persistence tactic(s). Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating syst...
How can T1542.003 be detected?
Detection of T1542.003 (Bootkit) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1542.003?
There are 2 documented mitigations for T1542.003. Key mitigations include: Boot Integrity, Privileged Account Management.
Which threat groups use T1542.003?
Known threat groups using T1542.003 include: APT41, Lazarus Group, APT28.