T1542.001 System Firmware

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1542.001 System Firmware
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.PS-06.06 Vulnerability remediation Mitigates T1542.001 System Firmware
    Comments
    This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
    References
      PR.AA-05.02 Privileged system access Mitigates T1542.001 System Firmware
      Comments
      This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-09.01 Software and data integrity checking Mitigates T1542.001 System Firmware
        Comments
        This diagnostic statement protects against System Firmware through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
        References
          DE.CM-09.02 Hardware integrity checking Mitigates T1542.001 System Firmware
          Comments
          This diagnostic statement provides protection from System Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
          References
            DE.CM-09.03 Unauthorized software, hardware, or configuration changes Mitigates T1542.001 System Firmware
            Comments
            This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
            References
              PR.PS-02.01 Patch identification and application Mitigates T1542.001 System Firmware
              Comments
              This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware.
              References
                PR.PS-01.03 Configuration deviation Mitigates T1542.001 System Firmware
                Comments
                This diagnostic statement provides protection from System Firmware through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
                References
                  PR.IR-01.06 Production environment segregation Mitigates T1542.001 System Firmware
                  Comments
                  This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                  References

                    NIST 800-53 Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    CM-06 Configuration Settings mitigates T1542.001 System Firmware
                    CM-05 Access Restrictions for Change mitigates T1542.001 System Firmware
                    IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1542.001 System Firmware
                    SA-10 Developer Configuration Management mitigates T1542.001 System Firmware
                    IA-07 Cryptographic Module Authentication mitigates T1542.001 System Firmware
                    RA-09 Criticality Analysis mitigates T1542.001 System Firmware
                    SC-34 Non-modifiable Executable Programs mitigates T1542.001 System Firmware
                    SI-02 Flaw Remediation mitigates T1542.001 System Firmware
                    CM-08 System Component Inventory mitigates T1542.001 System Firmware
                    SI-07 Software, Firmware, and Information Integrity mitigates T1542.001 System Firmware
                    SA-11 Developer Testing and Evaluation mitigates T1542.001 System Firmware
                    IA-02 Identification and Authentication (Organizational Users) mitigates T1542.001 System Firmware
                    AC-02 Account Management mitigates T1542.001 System Firmware
                    AC-03 Access Enforcement mitigates T1542.001 System Firmware
                    AC-05 Separation of Duties mitigates T1542.001 System Firmware
                    AC-06 Least Privilege mitigates T1542.001 System Firmware
                    CM-03 Configuration Change Control mitigates T1542.001 System Firmware

                    VERIS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542.001 System Firmware

                    Azure Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1542.001 System Firmware
                    Comments
                    This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
                    References