PT Sandbox

Profound defense against sophisticated malware and zero-day threats

T1542.001: System Firmware

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

IDDS0001Data source and componentFirmware: Firmware ModificationDescription

Monitor for changes made to firmware. Dump and inspect BIOS images on vulnerable systems and compare against known good images. Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Prevent adversary access to privileged accounts or access necessary to perform this technique.

IDM1046NameBoot IntegrityDescription

Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. Move system's root of trust to hardware to prevent tampering with the SPI flash memory. Technologies such as Intel Boot Guard can assist with this.

IDM1051NameUpdate SoftwareDescription

Patch the BIOS and EFI as necessary.