TIARAS - T1542: Pre-OS Boot

MITRE ATT&CK Technique

Defense Evasion T1542

Description

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting) Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

Supported Platforms

Linux Network Devices Windows macOS

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2019-11-13T14:44:49.439Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse Pre-OS Boot mechanisms as a way to '
                'establish persistence on a system. During the booting process '
                'of a computer, firmware and various startup services are '
                'loaded before the operating system. These programs control '
                'flow of execution before the operating system takes '
                'control.(Citation: Wikipedia Booting)\n'
                '\n'
                'Adversaries may overwrite data in boot drivers or firmware '
                'such as BIOS (Basic Input/Output System) and The Unified '
                'Extensible Firmware Interface (UEFI) to persist on systems at '
                'a layer below the operating system. This can be particularly '
                'difficult to detect as malware at this level will not be '
                'detected by host software-based defenses.',
 'external_references': [{'external_id': 'T1542',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1542'},
                         {'description': 'Pinola, M. (2014, December 14). 3 '
                                         "tools to check your hard drive's "
                                         "health and make sure it's not "
                                         'already dying on you. Retrieved '
                                         'November 17, 2024.',
                          'source_name': 'ITWorld Hard Disk Health Dec 2014',
                          'url': 'https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html'},
                         {'description': 'Wikipedia. (n.d.). Booting. '
                                         'Retrieved November 13, 2019.',
                          'source_name': 'Wikipedia Booting',
                          'url': 'https://en.wikipedia.org/wiki/Booting'}],
 'id': 'attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'}],
 'modified': '2025-10-24T17:49:01.466Z',
 'name': 'Pre-OS Boot',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'Network Devices', 'Windows', 'macOS'],
 'x_mitre_version': '1.3'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (1)

APT28
High

Back to TTPs

Dashboard About