T1542.003 Bootkit Mappings

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1542.003 Bootkit
AC-3 Access Enforcement Protects T1542.003 Bootkit
AC-5 Separation of Duties Protects T1542.003 Bootkit
AC-6 Least Privilege Protects T1542.003 Bootkit
CA-8 Penetration Testing Protects T1542.003 Bootkit
CM-3 Configuration Change Control Protects T1542.003 Bootkit
CM-5 Access Restrictions for Change Protects T1542.003 Bootkit
CM-6 Configuration Settings Protects T1542.003 Bootkit
CM-8 System Component Inventory Protects T1542.003 Bootkit
IA-2 Identification and Authentication (organizational Users) Protects T1542.003 Bootkit
IA-7 Cryptographic Module Authentication Protects T1542.003 Bootkit
IA-8 Identification and Authentication (non-organizational Users) Protects T1542.003 Bootkit
RA-9 Criticality Analysis Protects T1542.003 Bootkit
SA-10 Developer Configuration Management Protects T1542.003 Bootkit
SA-11 Developer Testing and Evaluation Protects T1542.003 Bootkit
SC-34 Non-modifiable Executable Programs Protects T1542.003 Bootkit
SI-2 Flaw Remediation Protects T1542.003 Bootkit
SI-7 Software, Firmware, and Information Integrity Protects T1542.003 Bootkit
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1542.003 Bootkit