1. Home
  2. Techniques
  3. Enterprise
  4. Firmware Corruption

Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.[1] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.[2][3] Depending on the device, this attack may also result in Data Destruction.

ID: T1495
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Linux, Network Devices, Windows, macOS
Impact Type: Availability
Version: 1.3
Created: 12 April 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0606 Bad Rabbit

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[4]
S0266 TrickBot

TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[5]

Mitigations

ID Mitigation Description
M1046 Boot Integrity

Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification.
M1026 Privileged Account Management

Prevent adversary access to privileged accounts or access necessary to replace system firmware.
M1051 Update Software

Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0167 Firmware Modification via Flash Tool or Corrupted Firmware Upload AN0474

Firmware flash utility invoked with elevated privileges followed by raw access to firmware device path or changes to boot configuration.
AN0475

Direct write access to /dev/mem or /sys/firmware combined with usage of firmware flashing utilities (e.g., flashrom).
AN0476

EFI updates executed via system processes or binaries outside of expected patch windows or using unsigned firmware packages.
AN0477

Firmware image uploaded via TFTP/SCP or web interface followed by reboot or unexpected loss of connectivity.

References

  1. Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.
  2. U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022.
  3. CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022.
  1. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  2. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.