# T1542 Pre-OS Boot

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

## Technique Detection

Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.

Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation.(Citation: ITWorld Hard Disk Health Dec 2014)

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Persistence

### Platforms:

  * Linux

  * Windows

  * Network

  * macOS

### Defenses Bypassed:

  * Anti-virus

  * Host intrusion prevention systems

  * File monitoring

### Data Sources:

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

  * **Firmware:** Firmware Modification

  * **Driver:** Driver Metadata

  * **Drive:** Drive Modification

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1542)

  * [Itworld Hard Disk Health Dec 2014](https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html), Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018.

  * [Wikipedia Booting](https://en.wikipedia.org/wiki/Booting), Wikipedia. (n.d.). Booting. Retrieved November 13, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | | |
| APT29 | | |
| Turla | | |

## Detection Blindspots

- Sensor Placement

## Analytical References

* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
* https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.
- Take snapshots of boot records and firmware and compare against known good images.
- Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.
- Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation.
- See T1014 - Rootkit for more info on Lojax Rootkit detections.

#### Analytic 1

  * **Information:** 'ssdt'

  * **Source:** 'Disk Forensics'

  * **Tool:** 'Volatility'

  * **Notes:** 'ssdt – display hooked functions within the System Service Descriptor Table (ssdt) – Windows kernel hooking'

  * **Query:** ```vol.py -f <path of memory image> ssdt | egrep -v ‘(ntoskrnl|win32k)’```

#### Analytic 2

  * **Information:** 'psxview'

  * **Source:** 'Disk Forensics'

  * **Tool:** 'Volatility'

  * **Notes:** 'psxview – performs cross-view analysis using seven different process listing plugins to visually identify hidden process'

  * **Query:** ```vol.py -f <path of memory image> psxview```

#### Analytic 3

  * **Information:** 'modscan'

  * **Source:** 'Disk Forensics'

  * **Tool:** 'Volatility'

  * **Notes:** 'modscan – scans the memory for any instances of pool tags associated with memory pages containing drivers (also referred to as modules). Scans memory image to find loaded, unloaded, unlinked kernel modules (modscan plugin)'

  * **Query:** ```vol.py –f <path of the memory image> modscan```

#### Analytic 4

  * **Information:** 'apihooks'

  * **Source:** 'Disk Forensics'

  * **Tool:** 'Volatility'

  * **Notes:** 'apihooks – detect inline an import address table function hooks used by rootkits to modify and control information returned.'

  * **Query:** ```vol.py –f <path of the memory image> apihooks```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------
