Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1542 | Pre-OS Boot |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1542.001 | System Firmware | 1 |
| T1542.003 | Bootkit | 1 |
| T1542.005 | TFTP Boot | 1 |
| T1542.002 | Component Firmware | 2 |
| T1542.004 | ROMMONkit | 1 |