discord

Pre-OS Boot

Pre-OS Boot [T1542]

Information

Introduction

Pre-OS Boot techniques, as classified under MITRE ATT&CK (T1542), involve adversaries executing malicious code or modifying system components before the operating system fully boots. Such methods allow attackers to maintain persistence, evade detection, and establish deep-rooted control over compromised systems. These techniques primarily target firmware, bootloaders, and other pre-operating system components to ensure malicious code execution at the earliest stages of system startup.

Deep Dive Into Technique

Pre-OS Boot attacks exploit vulnerabilities or weaknesses in the system boot process, firmware, or hardware initialization routines. Attackers typically leverage the following methods:

  • Firmware Modification:

    • Manipulating BIOS or UEFI firmware to embed malicious code.

    • Utilizing firmware rootkits to persistently infect systems, surviving OS reinstallations or disk replacements.

  • Bootloader Manipulation:

    • Altering bootloader code (e.g., GRUB, Windows Boot Manager) to execute malicious payloads before the OS loads.

    • Injecting code into boot sectors or EFI partitions.

  • Hardware-Level Attacks:

    • Exploiting vulnerabilities in hardware components (chipsets, TPM, storage controllers) to execute malicious instructions pre-boot.

    • Using compromised hardware or firmware implants to subvert system security.

  • Secure Boot Bypass:

    • Exploiting vulnerabilities or misconfigurations to bypass secure boot mechanisms, enabling unauthorized code execution at boot time.

    • Employing stolen or compromised signing keys to sign malicious bootloaders or firmware.

Real-world procedures typically involve:

  • Gaining initial system access through phishing, supply chain compromise, or physical access.

  • Escalating privileges to modify firmware or bootloader components.

  • Installing persistent implants or rootkits to ensure stealth and longevity.

When this Technique is Usually Used

Attackers commonly employ Pre-OS Boot techniques in the following scenarios and stages of an attack:

  • Persistence Stage:

    • To maintain long-term, stealthy persistence that survives OS reinstallation, system updates, and security software scans.

  • Privilege Escalation:

    • To escalate privileges by controlling system boot processes and firmware-level operations, enabling attackers to bypass OS-level security controls.

  • Defense Evasion:

    • To evade detection by security solutions that typically operate at OS-level, as pre-OS boot code executes before security tools are active.

  • Supply Chain Attacks:

    • Embedding malicious firmware or bootloader modifications during hardware manufacturing or software distribution processes.

  • Advanced Persistent Threat (APT) Operations:

    • Leveraging pre-OS malware to maintain persistent access in high-value targets, including government agencies, critical infrastructure, and large enterprises.

  • Physical Access Scenarios:

    • Exploiting systems where an attacker has temporary physical access, enabling direct firmware manipulation or bootloader tampering.

How this Technique is Usually Detected

Detection of Pre-OS Boot compromises typically requires specialized methods, tools, and indicators of compromise (IoCs):

  • Firmware Integrity Checks:

    • Regularly verifying firmware integrity through cryptographic hashes, secure boot procedures, and firmware attestation tools.

  • Bootloader Monitoring:

    • Analyzing bootloader configurations, boot sectors, EFI partitions, and monitoring for unauthorized modifications or anomalies.

  • Hardware Security Modules (HSM) and TPMs:

    • Utilizing Trusted Platform Modules (TPMs) or hardware security modules to detect deviations from expected boot measurements and firmware states.

  • UEFI Scanning Tools:

    • Employing specialized tools such as CHIPSEC, UEFITool, or ESET UEFI Scanner to detect malicious firmware implants or unauthorized code injections.

  • Behavioral Indicators:

    • Unexpected system crashes or boot failures.

    • Unusual boot times or delays.

    • Unrecognized firmware version numbers or unexpected firmware updates.

  • Specific Indicators of Compromise (IoCs):

    • Unknown or unsigned firmware images.

    • Suspicious EFI binaries or bootloader files.

    • Unusual firmware or bootloader configurations detected in logs.

Why it is Important to Detect This Technique

Detecting Pre-OS Boot techniques is critical due to their severe impact on systems and networks:

  • High-Level Persistence:

    • Malicious firmware implants or bootloader modifications persist across OS reinstallation, disk replacement, and routine security updates, making remediation challenging.

  • Stealth and Evasion:

    • Pre-OS malware executes before OS-level security controls are active, significantly reducing detection chances and allowing attackers prolonged undetected presence.

  • Privilege Escalation and Control:

    • Attackers gain comprehensive control over system initialization, enabling high-level privilege escalation and potential system compromise at the deepest hardware and firmware levels.

  • Integrity and Availability Risks:

    • Malicious pre-OS code can compromise system integrity, causing instability, data corruption, or denial-of-service conditions.

  • Supply Chain Risks:

    • Pre-OS attacks embedded during manufacturing or distribution can affect large-scale deployments, impacting numerous systems simultaneously.

Early detection and mitigation of Pre-OS Boot compromises are essential to prevent long-term damage, reduce remediation costs, and maintain system integrity and trustworthiness.

Examples

Real-world examples of Pre-OS Boot attacks include:

  • LoJax UEFI Rootkit (APT28):

    • Attack Scenario: Russian-linked threat actor APT28 compromised UEFI firmware to install LoJax, establishing persistent access on targeted systems.

    • Tools Used: LoJax malware, firmware flashing tools, compromised legitimate utilities.

    • Impact: Persistent, stealthy infection surviving OS reinstallations, enabling long-term espionage operations.

  • MosaicRegressor UEFI Malware (APT41):

    • Attack Scenario: Chinese-linked APT41 utilized MosaicRegressor, a malicious UEFI implant, to target diplomatic entities.

    • Tools Used: MosaicRegressor malware, firmware exploitation, and modification tools.

    • Impact: Persistent espionage campaigns with deep system-level access, difficult to detect and remediate.

  • TrickBoot Module (TrickBot Malware):

    • Attack Scenario: TrickBot operators developed TrickBoot to inspect UEFI firmware vulnerabilities, potentially enabling firmware-level persistence.

    • Tools Used: TrickBot malware framework, TrickBoot module.

    • Impact: Potential for firmware-level persistence, significantly complicating remediation and detection efforts.

  • Sednit Group (APT28) Secure Boot Bypass:

    • Attack Scenario: Exploiting vulnerabilities in Secure Boot implementations to load unsigned malicious bootloaders.

    • Tools Used: Custom bootloader modifications, exploitation of Secure Boot vulnerabilities.

    • Impact: Complete bypass of fundamental security controls, enabling persistent, stealthy malware execution.

These examples illustrate the severity and persistence potential of Pre-OS Boot attacks, highlighting the necessity for robust detection and mitigation strategies.

Last updated

Was this helpful?