1. Home
  2. ATT&CK Techniques
  3. T1495 Firmware Corruption

T1495 Firmware Corruption Mappings

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in Data Destruction.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
attribute.availability.variety.Destruction Destruction related-to T1495 Firmware Corruption
attribute.availability.variety.Interruption Interruption related-to T1495 Firmware Corruption
attribute.availability.variety.Loss Loss related-to T1495 Firmware Corruption

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1495 Firmware Corruption
Comments
Google Security Ops is able to trigger an alert based off suspicious logs that could indicate tampering with the component's firmware (e.g., detects driver load from a temporary directory). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']