T1542 Pre-OS Boot Mappings

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
shielded_vm Shielded VM technique_scores T1542 Pre-OS Boot
firewalls Firewalls technique_scores T1542 Pre-OS Boot
security_command_center Security Command Center technique_scores T1542 Pre-OS Boot

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1542.003 Bootkit 1