T1542 Pre-OS Boot Mappings

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1542 Pre-OS Boot
AC-3 Access Enforcement Protects T1542 Pre-OS Boot
AC-5 Separation of Duties Protects T1542 Pre-OS Boot
AC-6 Least Privilege Protects T1542 Pre-OS Boot
CA-8 Penetration Testing Protects T1542 Pre-OS Boot
CM-3 Configuration Change Control Protects T1542 Pre-OS Boot
CM-5 Access Restrictions for Change Protects T1542 Pre-OS Boot
CM-6 Configuration Settings Protects T1542 Pre-OS Boot
CM-8 System Component Inventory Protects T1542 Pre-OS Boot
IA-2 Identification and Authentication (organizational Users) Protects T1542 Pre-OS Boot
IA-7 Cryptographic Module Authentication Protects T1542 Pre-OS Boot
IA-8 Identification and Authentication (non-organizational Users) Protects T1542 Pre-OS Boot
RA-9 Criticality Analysis Protects T1542 Pre-OS Boot
SA-10 Developer Configuration Management Protects T1542 Pre-OS Boot
SA-11 Developer Testing and Evaluation Protects T1542 Pre-OS Boot
SC-34 Non-modifiable Executable Programs Protects T1542 Pre-OS Boot
SC-7 Boundary Protection Protects T1542 Pre-OS Boot
SI-2 Flaw Remediation Protects T1542 Pre-OS Boot
SI-7 Software, Firmware, and Information Integrity Protects T1542 Pre-OS Boot
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1542 Pre-OS Boot
network_security_groups Network Security Groups technique_scores T1542 Pre-OS Boot
azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1542 Pre-OS Boot

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1542.003 Bootkit 19
T1542.004 ROMMONkit 20
T1542.001 System Firmware 19
T1542.005 TFTP Boot 26