System Firmware

From enterprise
Jump to: navigation, search
System Firmware
Technique
ID T1019
Tactic Persistence
Platform Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Permissions Required Administrator, SYSTEM
Data Sources API monitoring, BIOS, EFI
CAPEC ID CAPEC-532
Contributors Ryan BecwarMcAfee

The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.123

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

Examples

  • Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.4
  • Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal.5

Mitigation

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology.6

Detection

System firmware manipulation may be detected.7 Dump and inspect BIOS images on vulnerable systems and compare against known good images.8 Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.

Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.91011