| ID | F0013 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Pre-OS Boot: Bootkit (T1542.003) |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: Pre-OS Boot: Bootkit (T1542.003).
The MBC also associates the Bootkit behavior with Defense Evasion because the malware may execute before or external to the system's kernel or hypervisor (e.g., through the BIOS), making it more difficult to detect. (As of 2020, ATT&CK also associates the technique with Persistence.)
| Name | Date | Method | Description |
|---|---|---|---|
| Mebromi | 2011 | -- | The malware is an MBR bootkit and a BIOS bootkit targeting Award BIOS. [1] |
| TrickBot | 2016 | -- | The malware can implement malicious code into firmware, allowing read, write, and/or erasure of the UEFI/BIOS firmware. [2] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| accesses_primary_patition | Bootkit (F0013) | -- |
| bootkit | Bootkit (F0013) | NtSetInformationFile, NtClose, DeviceIoControl, NtCreateFile, NtDuplicateObject, NtOpenFile, NtWriteFile, NtDeviceIoControlFile |
| direct_hdd_access | Bootkit (F0013) | -- |
| enumerates_physical_drives | Bootkit (F0013) | -- |
| physical_drive_access | Bootkit (F0013) | -- |
| suspicious_ioctl_scsipassthough | Bootkit (F0013) | DeviceIoControl, NtDeviceIoControlFile |
[1] https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[2] https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf