Pre-OS Boot: Bootkit

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). [1] The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. [2]

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

ID: T1542.003
Sub-technique of:  T1542
Platforms: Linux, Windows
Permissions Required: Administrator, SYSTEM
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems
Version: 1.1
Created: 19 December 2019
Last Modified: 30 March 2023

Procedure Examples

ID Name Description
G0007 APT28

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[3]

G0096 APT41

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[4]

S0114 BOOTRASH

BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.[1][5][6]

S0484 Carberp

Carberp has installed a bootkit on the system to maintain persistence.[7]

S0182 FinFisher

Some FinFisher variants incorporate an MBR rootkit.[8][9]

G0032 Lazarus Group

Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.[10][11]

S0112 ROCKBOOT

ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence.[5]

S0266 TrickBot

TrickBot can implant malicious code into a compromised device's firmware.[12]

S0689 WhisperGate

WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.[13][14][15][16][17]

Mitigations

ID Mitigation Description
M1046 Boot Integrity

Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. [18] [19]

M1026 Privileged Account Management

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.

Detection

ID Data Source Data Component Detects
DS0016 Drive Drive Modification

Monitor for changes to MBR and VBR as they occur for indicators for suspicious activity and further analysis. Take snapshots of MBR and VBR and compare against known good samples.

References