T1542 Pre-OS Boot Mappings

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1542 Pre-OS Boot
AC-3 Access Enforcement Protects T1542 Pre-OS Boot
AC-5 Separation of Duties Protects T1542 Pre-OS Boot
AC-6 Least Privilege Protects T1542 Pre-OS Boot
CA-8 Penetration Testing Protects T1542 Pre-OS Boot
CM-3 Configuration Change Control Protects T1542 Pre-OS Boot
CM-5 Access Restrictions for Change Protects T1542 Pre-OS Boot
CM-6 Configuration Settings Protects T1542 Pre-OS Boot
CM-8 System Component Inventory Protects T1542 Pre-OS Boot
IA-2 Identification and Authentication (organizational Users) Protects T1542 Pre-OS Boot
IA-7 Cryptographic Module Authentication Protects T1542 Pre-OS Boot
IA-8 Identification and Authentication (non-organizational Users) Protects T1542 Pre-OS Boot
RA-9 Criticality Analysis Protects T1542 Pre-OS Boot
SA-10 Developer Configuration Management Protects T1542 Pre-OS Boot
SA-11 Developer Testing and Evaluation Protects T1542 Pre-OS Boot
SC-34 Non-modifiable Executable Programs Protects T1542 Pre-OS Boot
SC-7 Boundary Protection Protects T1542 Pre-OS Boot
SI-2 Flaw Remediation Protects T1542 Pre-OS Boot
SI-7 Software, Firmware, and Information Integrity Protects T1542 Pre-OS Boot
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1542 Pre-OS Boot
aws_network_firewall AWS Network Firewall technique_scores T1542 Pre-OS Boot

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1542.003 Bootkit 19
T1542.002 Component Firmware 1
T1542.004 ROMMONkit 23
T1542.001 System Firmware 26
T1542.005 TFTP Boot 27