Pre-OS Boot: Component Firmware

Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.

Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

ID: T1542.002
Sub-technique of:  T1542
Platforms: Linux, Windows, macOS
System Requirements: Ability to update component device firmware from the host operating system.
Permissions Required: SYSTEM
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems
Version: 1.1
Created: 19 December 2019
Last Modified: 01 April 2022

Procedure Examples

ID Name Description
S0687 Cyclops Blink

Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.[1]

G0020 Equation

Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.[2]

Mitigations

ID Mitigation Description
M1051 Update Software

Perform regular firmware updates to mitigate risks of exploitation and/or abuse.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Metadata

Monitor for unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation

DS0001 Firmware Firmware Modification

Monitor for changes that may reveal indicators of malicious firmware such as strings. Also consider comparing components, including hashes of component firmware and behavior, against known good images.

DS0009 Process OS API Execution

Monitor for API calls associated with the use of device drivers and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) [3] [4] disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.

References