MITRE ATT&CK Technique
Persistence
T1019
Description
The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI) System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:28.613Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'The BIOS (Basic Input/Output System) and The Unified '
'Extensible Firmware Interface (UEFI) or Extensible Firmware '
'Interface (EFI) are examples of system firmware that operate '
'as the software interface between the operating system and '
'hardware of a computer. (Citation: Wikipedia BIOS) (Citation: '
'Wikipedia UEFI) (Citation: About UEFI)\n'
'\n'
'System firmware like BIOS and (U)EFI underly the '
'functionality of a computer and may be modified by an '
'adversary to perform or assist in malicious activity. '
'Capabilities exist to overwrite the system firmware, which '
'may give sophisticated adversaries a means to install '
'malicious firmware updates as a means of persistence on a '
'system that may be difficult to detect.',
'external_references': [{'external_id': 'T1019',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1019'},
{'external_id': 'CAPEC-532',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/532.html'},
{'description': 'Wikipedia. (n.d.). BIOS. Retrieved '
'January 5, 2016.',
'source_name': 'Wikipedia BIOS',
'url': 'https://en.wikipedia.org/wiki/BIOS'},
{'description': 'Wikipedia. (2017, July 10). Unified '
'Extensible Firmware Interface. '
'Retrieved July 11, 2017.',
'source_name': 'Wikipedia UEFI',
'url': 'https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface'},
{'description': 'UEFI Forum. (n.d.). About UEFI '
'Forum. Retrieved January 5, 2016.',
'source_name': 'About UEFI',
'url': 'http://www.uefi.org/about'},
{'description': 'Upham, K. (2014, March). Going Deep '
'into the BIOS with MITRE Firmware '
'Security Research. Retrieved January '
'5, 2016.',
'source_name': 'MITRE Trustworthy Firmware '
'Measurement',
'url': 'http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research'},
{'description': 'Butterworth, J. (2013, July 30). '
'Copernicus: Question Your '
'Assumptions about BIOS Security. '
'Retrieved December 11, 2015.',
'source_name': 'MITRE Copernicus',
'url': 'http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about'},
{'description': 'Beek, C., Samani, R. (2017, March '
'8). CHIPSEC Support Against Vault 7 '
'Disclosure Scanning. Retrieved March '
'13, 2017.',
'source_name': 'McAfee CHIPSEC Blog',
'url': 'https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/'},
{'description': 'Intel. (2017, March 18). CHIPSEC '
'Platform Security Assessment '
'Framework. Retrieved March 20, 2017.',
'source_name': 'Github CHIPSEC',
'url': 'https://github.com/chipsec/chipsec'},
{'description': 'Intel Security. (2005, July 16). '
"HackingTeam's UEFI Rootkit Details. "
'Retrieved March 20, 2017.',
'source_name': 'Intel HackingTeam UEFI Rootkit',
'url': 'http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html'}],
'id': 'attack-pattern--6856ddd6-2df3-4379-8b87-284603c189c3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:53.631Z',
'name': 'System Firmware',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ryan Becwar', 'McAfee'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}