Check out the results from our first round of ATT&CK Evaluations at!

Component Firmware

Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

ID: T1109

Tactic: Defense Evasion, Persistence

Platform:  Windows

Permissions Required:  SYSTEM

Data Sources:  Disk forensics, API monitoring, Process monitoring, Component firmware

Defense Bypassed:  File monitoring, Host intrusion prevention systems, Anti-virus

Version: 1.0



Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[1]


Prevent adversary access to privileged accounts or access necessary to perform this technique.

Consider removing and replacing system components suspected of being compromised.


Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) [2] [3] disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.

Disk check and forensic utilities [4] may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.