1. Home
  2. Data Sources
  3. Firmware

Firmware

Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI

ID: DS0001
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 18 April 2025
Version Permalink

Data Components

Firmware: Firmware Modification

Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples:

  • Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.
  • Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.
  • Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.
  • Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.
  • Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.

This data component can be collected through the following measures:

  • BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.
  • Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.
  • Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.
  • File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.
    • Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).
    • Linux Example (auditd): auditctl -w /dev/sda -p wa -k firmware_modification
  • Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.
  • Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: Confirm-SecureBootUEFI
  • Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:
    • Intel Platform Firmware Resilience (PFR).
    • Lenovo UEFI diagnostics.

Firmware: Firmware Modification

Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples:

  • Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.
  • Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.
  • Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.
  • Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.
  • Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.

This data component can be collected through the following measures:

  • BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.
  • Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.
  • Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.
  • File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.
    • Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).
    • Linux Example (auditd): auditctl -w /dev/sda -p wa -k firmware_modification
  • Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.
  • Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: Confirm-SecureBootUEFI
  • Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:
    • Intel Platform Firmware Resilience (PFR).
    • Lenovo UEFI diagnostics.
Domain ID Name Detects
Enterprise T1495 Firmware Corruption

Monitor for changes made to the firmware for unexpected modifications to settings and/or data. [1] Log attempts to read/write to BIOS and compare against known patching behavior.
Enterprise T1564 Hide Artifacts

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.
.005 Hidden File System

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may use a hidden file system to conceal malicious activity from users and security tools. Bootkit
ICS T0839 Module Firmware

Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[3] [4] [5]
Enterprise T1542 Pre-OS Boot

Monitor for changes made on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI
.001 System Firmware

Monitor for changes made to firmware. [1] Dump and inspect BIOS images on vulnerable systems and compare against known good images. [2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. [3] [4] [5]
.002 Component Firmware

Monitor for changes that may reveal indicators of malicious firmware such as strings. Also consider comparing components, including hashes of component firmware and behavior, against known good images.
.004 ROMMONkit

There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.
.005 TFTP Boot

Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. [6] Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.
Enterprise T1014 Rootkit

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior.

ICS T0851 Rootkit

Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.
ICS T0857 System Firmware

Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[2] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[3] [4] [5]

References

  1. Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.
  2. Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.
  3. Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.
  1. Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.
  2. Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.
  3. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020.