Pre-OS Boot

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.[1]

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

ID: T1542
Tactics: Defense Evasion, Persistence
Platforms: Linux, Network, Windows
Permissions Required: Administrator, SYSTEM
Data Sources: API monitoring, BIOS, Component firmware, Disk forensics, EFI, MBR, Process monitoring, VBR
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems
Version: 1.1
Created: 13 November 2019
Last Modified: 22 October 2020

Mitigations

Mitigation Description
Boot Integrity

Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. [2] [3]

Privileged Account Management

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions

Update Software

Patch the BIOS and EFI as necessary.

Detection

Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.

Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. [4]

References