Component Firmware

From enterprise
Jump to: navigation, search
Component Firmware
Technique
ID T1109
Tactic Defense Evasion, Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
System Requirements Ability to update component device firmware from the host operating system.
Permissions Required SYSTEM
Defense Bypassed Anti-virus, File monitoring, Host intrusion prevention systems

Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

Examples

  • The Equation group is known to have the capability to overwrite the firmware on hard drives from some manufacturers.1