T1542: Pre-OS Boot
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.
Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.
Positive Technologies products that cover the technique
Detection
PT NAD can detect and dissect the Trivial File Transfer Protocol (TFTP), which is commonly used by devices for initial download of the firmware over the network.
Examples of PT NAD filters
- app_proto == "tftp"
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0001 | Data source and component | Firmware: Firmware Modification | Description | Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. |
---|
ID | DS0016 | Data source and component | Drive: Drive Modification | Description | Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. Disk check, forensic utilities, and data from device drivers (i.e. API calls) may reveal anomalies that warrant deeper investigation. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. |
---|
ID | DS0027 | Data source and component | Driver: Driver Metadata | Description | Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation |
---|
Mitigation
ID | M1035 | Name | Limit Access to Resource Over Network | Description | Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. |
---|
ID | M1047 | Name | Audit | Description | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
---|
ID | M1051 | Name | Update Software | Description | Patch the BIOS and EFI as necessary. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions |
---|
ID | M1046 | Name | Boot Integrity | Description | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. |
---|