1. Home
  2. Techniques
  3. Enterprise
  4. Pre-OS Boot
  5. System Firmware

Pre-OS Boot: System Firmware

ID Name
T1542.001 System Firmware
T1542.002 Component Firmware
T1542.003 Bootkit
T1542.004 ROMMONkit
T1542.005 TFTP Boot

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.[1][2][3]

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

ID: T1542.001
Sub-technique of:  T1542
Platforms: Network Devices, Windows
Contributors: Jean-Ian Boutin, ESET; McAfee; Ryan Becwar
Version: 1.2
Created: 19 December 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0047 Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.[4]

S0397 LoJax

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[5]

S0001 Trojan.Mebromi

Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal.[6]

Mitigations

ID Mitigation Description
M1046 Boot Integrity

Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. [7] Move system's root of trust to hardware to prevent tampering with the SPI flash memory.[5] Technologies such as Intel Boot Guard can assist with this. [8]
M1026 Privileged Account Management

Prevent adversary access to privileged accounts or access necessary to perform this technique.
M1051 Update Software

Patch the BIOS and EFI as necessary.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0099 Detection Strategy for T1542.001 Pre-OS Boot: System Firmware AN0275

Unexpected write operations to BIOS/UEFI firmware regions or EFI boot partitions that do not correlate with legitimate vendor firmware updates. API calls or utilities such as fwupdate.exe or vendor flash tools executed from non-administrative or non-IT management accounts. Suspicious raw disk writes targeting System Firmware GUID partitions followed by abnormal reboot sequences.
AN0276

Unauthorized firmware uploads to routers, switches, or firewalls via TFTP/FTP/SCP. Logs showing boot variable or startup image path changes redirecting to non-standard firmware images. Abnormal reboots or firmware rollback attempts following configuration modification events.

References

  1. Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
  2. Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.
  3. UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
  4. Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
  1. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  2. Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
  3. Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.
  4. Intel. (2013). Intel Hardware-based Security Technologies for Intelligent Retail Devices. Retrieved May 19, 2020.