Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI
Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)
Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1495 | Firmware Corruption |
Monitor for changes made to the firmware for unexpected modifications to settings and/or data. [1] Log attempts to read/write to BIOS and compare against known patching behavior. |
|
Enterprise | T1564 | Hide Artifacts |
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.005 | Hidden File System |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may use a hidden file system to conceal malicious activity from users and security tools. Bootkit |
||
ICS | T0839 | Module Firmware |
Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[3] [4] [5] |
|
Enterprise | T1542 | Pre-OS Boot |
Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI |
|
.001 | System Firmware |
Monitor for changes made to firmware. [1] Dump and inspect BIOS images on vulnerable systems and compare against known good images. [2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. [3] [4] [5] |
||
.002 | Component Firmware |
Monitor for changes that may reveal indicators of malicious firmware such as strings. Also consider comparing components, including hashes of component firmware and behavior, against known good images. |
||
.004 | ROMMONkit |
There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation. |
||
.005 | TFTP Boot |
Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. [6] Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. |
||
Enterprise | T1014 | Rootkit |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. |
|
ICS | T0851 | Rootkit |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations. |
|
ICS | T0857 | System Firmware |
Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[3] [4] [5] |