Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.
In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in Data Destruction.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement protects against Firmware Corruption through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from Firmware Corruption through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1495 | Firmware Corruption |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from Firmware Corruption through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1495 | Firmware Corruption | |
| attribute.availability.variety.Destruction | Destruction | related-to | T1495 | Firmware Corruption | |
| attribute.availability.variety.Interruption | Interruption | related-to | T1495 | Firmware Corruption | |
| attribute.availability.variety.Loss | Loss | related-to | T1495 | Firmware Corruption |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1495 | Firmware Corruption |
Comments
Google Security Ops is able to trigger an alert based off suspicious logs that could indicate tampering with the component's firmware (e.g., detects driver load from a temporary directory).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral
References
|