Ctrl+K

T1542 - Pre-OS Boot

T1542 - Pre-OS Boot#

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.

Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation.(Citation: ITWorld Hard Disk Health Dec 2014)

Shield Active Defense#

Security Controls#

Alter security controls to make the system more or less vulnerable to attack.

Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc.

Opportunity#

There is an opportunity to use security controls on systems in order to affect the success of an adversary.

Use Case#

A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised.

Procedures#

Weaken security controls on a system to allow for leaking of credentials via network connection poisoning. Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials.

Contents