Esc
Pre-OS Boot - T1542
(ATT&CK® Technique)
Definition
Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1542["Pre-OS Boot"] --> |creates| TFTPNetworkTraffic["TFTP Network Traffic"]; class T1542 OffensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode; click TFTPNetworkTraffic href "/dao/artifact/d3f:TFTPNetworkTraffic";
click T1542 href "/offensive-technique/attack/T1542/"; click TFTPNetworkTraffic href "/dao/artifact/d3f:TFTPNetworkTraffic"; T1542["Pre-OS Boot"] --> |may-modify| BootLoader["Boot Loader"]; class T1542 OffensiveTechniqueNode;
class BootLoader ArtifactNode; click BootLoader href "/dao/artifact/d3f:BootLoader";
click T1542 href "/offensive-technique/attack/T1542/"; click BootLoader href "/dao/artifact/d3f:BootLoader"; T1542["Pre-OS Boot"] --> |modifies| Firmware["Firmware"]; class T1542 OffensiveTechniqueNode;
class Firmware ArtifactNode; click Firmware href "/dao/artifact/d3f:Firmware";
click T1542 href "/offensive-technique/attack/T1542/"; click Firmware href "/dao/artifact/d3f:Firmware"; T1542["Pre-OS Boot"] --> |may-modify| BootSector["Boot Sector"]; class T1542 OffensiveTechniqueNode;
class BootSector ArtifactNode; click BootSector href "/dao/artifact/d3f:BootSector";
click T1542 href "/offensive-technique/attack/T1542/"; click BootSector href "/dao/artifact/d3f:BootSector"; T1542["Pre-OS Boot"] --> |may-modify| VolumeBootRecord["Volume Boot Record"]; class T1542 OffensiveTechniqueNode;
class VolumeBootRecord ArtifactNode; click VolumeBootRecord href "/dao/artifact/d3f:VolumeBootRecord";
click T1542 href "/offensive-technique/attack/T1542/"; click VolumeBootRecord href "/dao/artifact/d3f:VolumeBootRecord"; T1542["Pre-OS Boot"] --> |modifies| SystemFirmware["System Firmware"]; class T1542 OffensiveTechniqueNode;
class SystemFirmware ArtifactNode; click SystemFirmware href "/dao/artifact/d3f:SystemFirmware";
click T1542 href "/offensive-technique/attack/T1542/"; click SystemFirmware href "/dao/artifact/d3f:SystemFirmware"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; FirmwareVerification["Firmware Verification"] -->
| verifies | Firmware["Firmware"];
FirmwareVerification["Firmware Verification"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class FirmwareVerification DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareVerification href "/technique/d3f:FirmwareVerification"; FirmwareVerification["Firmware Verification"] -->
| verifies | SystemFirmware["System Firmware"];
class FirmwareVerification DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click FirmwareVerification href "/technique/d3f:FirmwareVerification"; FirmwareEmbeddedMonitoringCode["Firmware Embedded Monitoring Code"] -->
| analyzes | SystemFirmware["System Firmware"];
FirmwareEmbeddedMonitoringCode["Firmware Embedded Monitoring Code"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class FirmwareEmbeddedMonitoringCode DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click FirmwareEmbeddedMonitoringCode href "/technique/d3f:FirmwareEmbeddedMonitoringCode"; FirmwareBehaviorAnalysis["Firmware Behavior Analysis"] -->
| analyzes | SystemFirmware["System Firmware"];
FirmwareBehaviorAnalysis["Firmware Behavior Analysis"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class FirmwareBehaviorAnalysis DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click FirmwareBehaviorAnalysis href "/technique/d3f:FirmwareBehaviorAnalysis"; FirmwareBehaviorAnalysis["Firmware Behavior Analysis"] -->
| analyzes | Firmware["Firmware"];
class FirmwareBehaviorAnalysis DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareBehaviorAnalysis href "/technique/d3f:FirmwareBehaviorAnalysis"; FirmwareEmbeddedMonitoringCode["Firmware Embedded Monitoring Code"] -->
| analyzes | Firmware["Firmware"];
class FirmwareEmbeddedMonitoringCode DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareEmbeddedMonitoringCode href "/technique/d3f:FirmwareEmbeddedMonitoringCode"; SoftwareUpdate["Software Update"] -->
| updates | Firmware["Firmware"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1542["Pre-OS Boot"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class Firmware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | BootLoader["Boot Loader"];
class SoftwareUpdate DefensiveTechniqueNode;
class BootLoader ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | SystemFirmware["System Firmware"];
class SoftwareUpdate DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | TFTPNetworkTraffic["TFTP Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; BootloaderAuthentication["Bootloader Authentication"] -->
| authenticates | BootLoader["Boot Loader"];
BootloaderAuthentication["Bootloader Authentication"] -.->
| may-harden | T1542["Pre-OS Boot"] ;
class BootloaderAuthentication DefensiveTechniqueNode;
class BootLoader ArtifactNode;
click BootloaderAuthentication href "/technique/d3f:BootloaderAuthentication"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | TFTPNetworkTraffic["TFTP Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1542["Pre-OS Boot"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class TFTPNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreSoftware["Restore Software"] -->
| restores | Firmware["Firmware"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1542["Pre-OS Boot"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Firmware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | SystemFirmware["System Firmware"];
class RestoreSoftware DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | BootLoader["Boot Loader"];
class RestoreSoftware DefensiveTechniqueNode;
class BootLoader ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; SystemFirmwareVerification["System Firmware Verification"] -->
| verifies | SystemFirmware["System Firmware"];
SystemFirmwareVerification["System Firmware Verification"] -.->
| may-detect | T1542["Pre-OS Boot"] ;
class SystemFirmwareVerification DefensiveTechniqueNode;
class SystemFirmware ArtifactNode;
click SystemFirmwareVerification href "/technique/d3f:SystemFirmwareVerification";