Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1542 | Pre-OS Boot |
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
|
| network_security_groups | Network Security Groups | technique_scores | T1542 | Pre-OS Boot |
Comments
Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1542 | Pre-OS Boot |
Comments
This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
References
|