Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection from Pre-OS Boot through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps prevent adversaries from abusing Pre-OS Boot mechanisms.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection from Pre-OS Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software/firmware and its configurations.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can mitigate adversary abuse of pre-OS boot mechanisms.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1542 | Pre-OS Boot |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1542 | Pre-OS Boot |
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1542 | Pre-OS Boot |
Comments
Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1542 | Pre-OS Boot |
Comments
This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1542 | Pre-OS Boot |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because Cloud NGFW only support a subset of sub-techniques (1 of 5) and don't do anything to protect against TFTP booting among hosts within the network and behind the firewall.
References
|
| security_command_center | Security Command Center | technique_scores | T1542 | Pre-OS Boot |
Comments
SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems. This technique was graded as significant due to the high detect coverage and near real-time temporal factor.
References
|
| shielded_vm | Shielded VM | technique_scores | T1542 | Pre-OS Boot |
Comments
This control is able to mitigate malicious modification of any portion of the pre-os boot process through a combination of Secure Boot to verify signatures of firmware, Measured Boot to establish a known good boot baseline, and Integrity Monitoring to measure subsequent boots to previously established baselines.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1542 | Pre-OS Boot |
Comments
VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot mechanisms that utilize TFTP boot resulting in an overall score of Minimal.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1542 | Pre-OS Boot |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because AWS Network Firewall only supports a subset of sub-techniques, and it does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1542.001 | System Firmware | 28 |
| T1542.003 | Bootkit | 26 |
| T1542.005 | TFTP Boot | 40 |
| T1542.002 | Component Firmware | 6 |
| T1542.004 | ROMMONkit | 25 |