T1542Techniquedefense-evasionpersistenceagent-callable

T1542Pre-OS Boot

Platforms: Linux · Windows · Network · macOS

ATT&CK version: 14.1

What it is

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting) Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

ATT&CK tactics· 2

Defense EvasionPersistence

References

  1. https://attack.mitre.org/techniques/T1542
  2. https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html
  3. https://en.wikipedia.org/wiki/Booting
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.