1. Home
  2. ATT&CK Techniques
  3. T1542
Stealth Persistence

T1542: Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operat...

T1542 · Technique ·4 platforms

Description

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Platforms

LinuxmacOSNetwork DevicesWindows

Sub-Techniques (5)

T1542.001

System Firmware

 T1542.002

Component Firmware

 T1542.003

Bootkit

 T1542.004

ROMMONkit

 T1542.005

TFTP Boot

Mitigations (5)

Limit Access to Resource Over NetworkM1035

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

AuditM1047

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Update SoftwareM1051

Patch the BIOS and EFI as necessary.

Privileged Account ManagementM1026

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions

Boot IntegrityM1046

Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)

References

Frequently Asked Questions

What is T1542 (Pre-OS Boot)?

T1542 is a MITRE ATT&CK technique named 'Pre-OS Boot'. It belongs to the Stealth, Persistence tactic(s). Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operat...

How can T1542 be detected?

Detection of T1542 (Pre-OS Boot) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1542?

There are 5 documented mitigations for T1542. Key mitigations include: Limit Access to Resource Over Network, Audit, Update Software, Privileged Account Management, Boot Integrity.

Which threat groups use T1542?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.