Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
| ID | Name | Description |
|---|---|---|
| S0687 | Cyclops Blink |
Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.[1] |
| G0020 | Equation |
Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1051 | Update Software |
Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0323 | Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware | AN0916 |
Detection of anomalous driver and firmware interactions, including unsigned or unexpected firmware updates, driver loads linked to hardware components, and suspicious use of privileged APIs to read/write firmware or controller memory. |
| AN0917 |
Detection of suspicious use of ioctl/sysfs calls to access device firmware, unexpected flashing tools execution, and anomalous firmware checksums logged by SMART or kernel audit mechanisms. |
||
| AN0918 |
Detection of EFI/firmware manipulation attempts via abnormal driver loads, unsigned kexts, or tampered NVRAM variables associated with component firmware configuration. |