Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Persistence
  4. >ATTACK-T1542.001
ATTACK-T1542.001Active

System Firmware

Statement

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

Location

Tactic
Persistence

Technique Details

Identifier
ATTACK-T1542.001
Parent Technique
ATTACK-T1542
ATT&CK Page
View on MITRE

Tactics

PersistenceDefense Evasion

Platforms

WindowsNetwork Devices

Detection

Detection Strategy for T1542.001 Pre-OS Boot: System Firmware

Mitigations

Boot Integrity: Boot Integrity ensures that a system starts securely by verifying the integrity of its boot process, operating system, and associated components. This mitigation focuses on leveraging secure boot mechanisms, hardware-rooted trust, and runtime integrity checks to prevent tampering during the boot sequence. It is designed to thwart adversaries attempting to modify system firmware, bootloaders, or critical OS components. This mitigation can be implemented through the following measures:

Implementation of Secure Boot:

  • Implementation: Enable UEFI Secure Boot on all systems and configure it to allow only signed bootloaders and operating systems.
  • Use Case: An adversary attempts to replace the system’s bootloader with a malicious version to gain persistence. Secure Boot prevents the untrusted bootloader from executing, halting the attack.

Utilization of TPMs:

  • Implementation: Configure systems to use TPM-based attestation for boot integrity, ensuring that any modification to the firmware, bootloader, or OS is detected.
  • Use Case: A compromised firmware component alters the boot sequence. The TPM detects the change and triggers an alert, allowing the organization to respond before further damage.

Enable Bootloader Passwords:

  • Implementation: Protect BIOS/UEFI settings with a strong password and limit physical access to devices.
  • Use Case: An attacker with physical access attempts to disable Secure Boot or modify the boot sequence. The password prevents unauthorized changes.

Runtime Integrity Monitoring:

  • Implementation: Deploy solutions to verify the integrity of critical files and processes after boot.
  • Use Case: A malware infection modifies kernel modules post-boot. Runtime integrity monitoring detects the modification and prevents the malicious module from loading.

Update Software: Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:

Regular Operating System Updates

  • Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
  • Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.

Application Patching

  • Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
  • Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.

Firmware Updates

  • Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
  • Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.

Emergency Patch Deployment

  • Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
  • Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.

Centralized Patch Management

  • Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
  • Use Case: Streamlines patching processes and ensures no critical systems are missed.

Tools for Implementation

Patch Management Tools:

  • WSUS: Manage and deploy Microsoft updates across the organization.
  • ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
  • Ansible: Automate updates across multiple platforms, including Linux and Windows.

Vulnerability Scanning Tools:

  • OpenVAS: Open-source vulnerability scanning to identify missing patches.

Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
SP 800-53
SP800-53-AC-2relatedvia ctid-attack-to-sp800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-5relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-CA-8relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Persistence
Persistence80 controls
ATTACK-T1037Boot or Logon Initialization ScriptsATTACK-T1037.001Logon Script (Windows)ATTACK-T1037.002Login HookATTACK-T1037.003Network Logon ScriptATTACK-T1037.004RC ScriptsATTACK-T1037.005Startup ItemsATTACK-T1098Account ManipulationATTACK-T1098.001Additional Cloud CredentialsATTACK-T1098.002Additional Email Delegate PermissionsATTACK-T1098.003Additional Cloud RolesATTACK-T1098.004SSH Authorized KeysATTACK-T1098.005Device RegistrationATTACK-T1098.006Additional Container Cluster RolesATTACK-T1098.007Additional Local or Domain GroupsATTACK-T1133External Remote ServicesATTACK-T1136Create AccountATTACK-T1136.001Local AccountATTACK-T1136.002Domain AccountATTACK-T1136.003Cloud AccountATTACK-T1137Office Application StartupATTACK-T1137.001Office Template MacrosATTACK-T1137.002Office TestATTACK-T1137.003Outlook FormsATTACK-T1137.004Outlook Home PageATTACK-T1137.005Outlook RulesATTACK-T1137.006Add-insATTACK-T1176Software ExtensionsATTACK-T1176.001Browser ExtensionsATTACK-T1176.002IDE ExtensionsATTACK-T1505Server Software ComponentATTACK-T1505.001SQL Stored ProceduresATTACK-T1505.002Transport AgentATTACK-T1505.003Web ShellATTACK-T1505.004IIS ComponentsATTACK-T1505.005Terminal Services DLLATTACK-T1505.006vSphere Installation BundlesATTACK-T1525Implant Internal ImageATTACK-T1542.001System FirmwareATTACK-T1542.002Component FirmwareATTACK-T1542.003BootkitATTACK-T1543Create or Modify System ProcessATTACK-T1543.001Launch AgentATTACK-T1543.002Systemd ServiceATTACK-T1543.003Windows ServiceATTACK-T1543.004Launch DaemonATTACK-T1543.005Container ServiceATTACK-T1546.017Udev RulesATTACK-T1546.018Python Startup HooksATTACK-T1547Boot or Logon Autostart ExecutionATTACK-T1547.001Registry Run Keys / Startup FolderATTACK-T1547.002Authentication PackageATTACK-T1547.003Time ProvidersATTACK-T1547.004Winlogon Helper DLLATTACK-T1547.005Security Support ProviderATTACK-T1547.006Kernel Modules and ExtensionsATTACK-T1547.007Re-opened ApplicationsATTACK-T1547.008LSASS DriverATTACK-T1547.009Shortcut ModificationATTACK-T1547.010Port MonitorsATTACK-T1547.012Print ProcessorsATTACK-T1547.013XDG Autostart EntriesATTACK-T1547.014Active SetupATTACK-T1547.015Login ItemsATTACK-T1554Compromise Host Software BinaryATTACK-T1574Hijack Execution FlowATTACK-T1574.001DLLATTACK-T1574.004Dylib HijackingATTACK-T1574.005Executable Installer File Permissions WeaknessATTACK-T1574.006Dynamic Linker HijackingATTACK-T1574.007Path Interception by PATH Environment VariableATTACK-T1574.008Path Interception by Search Order HijackingATTACK-T1574.009Path Interception by Unquoted PathATTACK-T1574.010Services File Permissions WeaknessATTACK-T1574.011Services Registry Permissions WeaknessATTACK-T1574.012COR_PROFILERATTACK-T1574.013KernelCallbackTableATTACK-T1574.014AppDomainManagerATTACK-T1653Power SettingsATTACK-T1668Exclusive ControlATTACK-T1671Cloud Application Integration