Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI
Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)
Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1495 | Firmware Corruption |
Monitor for changes made to the firmware for unexpected modifications to settings and/or data. [1] Log attempts to read/write to BIOS and compare against known patching behavior. |
|
| Enterprise | T1564 | Hide Artifacts |
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .005 | Hidden File System |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may use a hidden file system to conceal malicious activity from users and security tools. Bootkit |
||
| Enterprise | T1542 | Pre-OS Boot |
Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI |
|
| .001 | System Firmware |
Monitor for changes made to firmware. [1] Dump and inspect BIOS images on vulnerable systems and compare against known good images. [2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. [3] [4] [5] |
||
| .002 | Component Firmware |
Monitor for changes that may reveal indicators of malicious firmware such as strings. Also consider comparing components, including hashes of component firmware and behavior, against known good images. |
||
| .004 | ROMMONkit |
There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation. |
||
| .005 | TFTP Boot |
Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. [6] Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. |
||
| Enterprise | T1014 | Rootkit |
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. |
|