Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement protects against System Firmware through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protection from System Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1542.001 | System Firmware |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protection from System Firmware through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1542.001 | System Firmware |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1542.001 | System Firmware |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|