T1542.003: Bootkit
Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
| ID | DS0016 | Data source and component | Drive: Drive Modification | Description | Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples. |
|---|
Mitigation
| ID | M1026 | Name | Privileged Account Management | Description | Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit. |
|---|
| ID | M1046 | Name | Boot Integrity | Description | Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. |
|---|