PT Sandbox

Profound defense against sophisticated malware and zero-day threats

T1495: Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable. Depending on the device, this attack may also result in Data Destruction.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

IDDS0001Data source and componentFirmware: Firmware ModificationDescription

Monitor for changes made to the firmware for unexpected modifications to settings and/or data.  Log attempts to read/write to BIOS and compare against known patching behavior.

Mitigation

IDM1051NameUpdate SoftwareDescription

Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

IDM1026NamePrivileged Account ManagementDescription

Prevent adversary access to privileged accounts or access necessary to replace system firmware.

IDM1046NameBoot IntegrityDescription

Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification.