Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1542 | Pre-OS Boot | |
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1542 | Pre-OS Boot |
Comments
VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot mechanisms that utilize TFTP boot resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1542 | Pre-OS Boot |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because AWS Network Firewall only supports a subset of sub-techniques, and it does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1542.001 | System Firmware | 1 |
| T1542.003 | Bootkit | 1 |
| T1542.005 | TFTP Boot | 3 |
| T1542.002 | Component Firmware | 1 |
| T1542.004 | ROMMONkit | 1 |