T1542

Linux Network Devices Windows macOS
Pre-OS Boot

Description

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system.

These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system.

This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Sub-techniques

T1542.001 — System Firmware T1542.002 — Component Firmware T1542.003 — Bootkit T1542.004 — ROMMONkit T1542.005 — TFTP Boot