MITRE ATT&CK Technique
Description
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016) Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. ### Master Boot Record The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011) ### Volume Boot Record The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:54.661Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'A bootkit is a malware variant that modifies the boot sectors '
'of a hard drive, including the Master Boot Record (MBR) and '
'Volume Boot Record (VBR). (Citation: MTrends 2016)\n'
'\n'
'Adversaries may use bootkits to persist on systems at a layer '
'below the operating system, which may make it difficult to '
'perform full remediation unless an organization suspects one '
'was used and can act accordingly.\n'
'\n'
'### Master Boot Record\n'
'The MBR is the section of disk that is first loaded after '
'completing hardware initialization by the BIOS. It is the '
'location of the boot loader. An adversary who has raw access '
'to the boot drive may overwrite this area, diverting '
'execution during startup from the normal boot loader to '
'adversary code. (Citation: Lau 2011)\n'
'\n'
'### Volume Boot Record\n'
'The MBR passes control of the boot process to the VBR. '
'Similar to the case of MBR, an adversary who has raw access '
'to the boot drive may overwrite the VBR to divert execution '
'during startup to adversary code.',
'external_references': [{'external_id': 'T1067',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1067'},
{'description': 'Mandiant. (2016, February). M-Trends '
'2016. Retrieved January 4, 2017.',
'source_name': 'MTrends 2016',
'url': 'https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf'},
{'description': 'Lau, H. (2011, August 8). Are MBR '
'Infections Back in Fashion? '
'(Infographic). Retrieved November '
'13, 2014.',
'source_name': 'Lau 2011',
'url': 'http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion'}],
'id': 'attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:19.981Z',
'name': 'Bootkit',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows'],
'x_mitre_version': '1.1'}