- Tactics
- stealth , Persistence
- Platforms
- Windows, Linux, macOS
- Reference
- attack.mitre.org/techniques/T1542.002
Description
Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.
Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth, Persistence tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1127 — Trusted Developer Utilities Proxy Execution