1. Home
  2. ATT&CK Techniques
  3. T1542 Pre-OS Boot

T1542 Pre-OS Boot Mappings

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1542 Pre-OS Boot
AC-3 Access Enforcement Protects T1542 Pre-OS Boot
AC-5 Separation of Duties Protects T1542 Pre-OS Boot
AC-6 Least Privilege Protects T1542 Pre-OS Boot
CA-8 Penetration Testing Protects T1542 Pre-OS Boot
CM-3 Configuration Change Control Protects T1542 Pre-OS Boot
CM-5 Access Restrictions for Change Protects T1542 Pre-OS Boot
CM-6 Configuration Settings Protects T1542 Pre-OS Boot
CM-8 System Component Inventory Protects T1542 Pre-OS Boot
IA-2 Identification and Authentication (organizational Users) Protects T1542 Pre-OS Boot
IA-7 Cryptographic Module Authentication Protects T1542 Pre-OS Boot
IA-8 Identification and Authentication (non-organizational Users) Protects T1542 Pre-OS Boot
RA-9 Criticality Analysis Protects T1542 Pre-OS Boot
SA-10 Developer Configuration Management Protects T1542 Pre-OS Boot
SA-11 Developer Testing and Evaluation Protects T1542 Pre-OS Boot
SC-34 Non-modifiable Executable Programs Protects T1542 Pre-OS Boot
SC-7 Boundary Protection Protects T1542 Pre-OS Boot
SI-2 Flaw Remediation Protects T1542 Pre-OS Boot
SI-7 Software, Firmware, and Information Integrity Protects T1542 Pre-OS Boot
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1542 Pre-OS Boot
action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1542 Pre-OS Boot
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1542 Pre-OS Boot
Comments
VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot mechanisms that utilize TFTP boot resulting in an overall score of Minimal.
References
  1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_network_firewall AWS Network Firewall technique_scores T1542 Pre-OS Boot
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because AWS Network Firewall only supports a subset of sub-techniques (1 of 5) and it does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.
References
  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1542.003 Bootkit 19
T1542.002 Component Firmware 1
T1542.004 ROMMONkit 23
T1542.001 System Firmware 26
T1542.005 TFTP Boot 27