Firmware

Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI

ID: DS0001
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Firmware: Firmware Modification

Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)

Firmware: Firmware Modification

Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)

Domain ID Name Detects
Enterprise T1495 Firmware Corruption

Monitor for changes made to the firmware for unexpected modifications to settings and/or data. [1] Log attempts to read/write to BIOS and compare against known patching behavior.

Enterprise T1564 Hide Artifacts

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.

.005 Hidden File System

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may use a hidden file system to conceal malicious activity from users and security tools. Bootkit

ICS T0839 Module Firmware
Enterprise T1542 Pre-OS Boot

Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI

.001 System Firmware

Monitor for changes made to firmware. [1] Dump and inspect BIOS images on vulnerable systems and compare against known good images. [2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. [3] [4] [5]

.002 Component Firmware

Monitor for changes that may reveal indicators of malicious firmware such as strings. Also consider comparing components, including hashes of component firmware and behavior, against known good images.

.004 ROMMONkit

There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.

.005 TFTP Boot

Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. [6] Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.

Enterprise T1014 Rootkit

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior.

ICS T0851 Rootkit
ICS T0857 System Firmware

References