Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Supply chain compromise can take place at any stage of the supply chain including:
While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, Secure Boot | T1195 | Supply Chain Compromise |
Comments
Windows Secure Boot leverages Intel PTT (TPM) to safeguard settings stored in UEFI, while Intel Boot Guard prevents unauthorized modifications to UEFI firmware. It verifies the signatures of the UEFI firmware, bootloader, and boot drivers before loading the operating system.
When the PC starts, the firmware checks the signature of each piece of boot software, including Unified Extensible Firmware Interface (UEFI) firmware drivers (also known as Option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Rollback protection also prevents the system from rolling back to older versions of firmware.
Secure Boot employs Intel PTT (TPM) to thwart attacks that attempt to alter the signature policy at the boot level in real-time or modify components involved in the boot process before the boot process. Intel Boot Guard ensures the integrity of the boot-level code before it is executed on the processor, preventing the system from proceeding with malicious boot code.
Secure Boot is able to address threats pre-os that change the signature of the loaded boot component.
References
|
| intel-txt | Intel Trusted Execution Technology | Win 11, System Guard | T1195 | Supply Chain Compromise |
Comments
System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1195.003 | Compromise Hardware Supply Chain | 2 |
| T1195.002 | Compromise Software Supply Chain | 1 |