| ID | F0013 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Pre-OS Boot: Bootkit (T1542.003) |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
The boot sectors of a hard drive are modified (e.g., Master Boot Record (MBR)). ATT&CK associates bootkits with the Persistence. See ATT&CK: Pre-OS Boot: Bootkit (T1067).
The MBC also associates the Bootkit behavior with Defense Evasion because the malware may execute before or external to the system's kernel or hypervisor (e.g., through the BIOS), making it more difficult to detect. (As of 2020, ATT&CK also associates the technique with Persistence.)
| Name | Date | Method | Description |
|---|---|---|---|
| Mebromi | 2011 | -- | An MBR bootkit and a BIOS bootkit targeting Award BIOS. [1] |
| TrickBot | 2016 | -- | Can implement malicious code into firmware, allowing read, write, and/or erasure of the UEFI/BIOS firmware [2] |
[1] https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[2] https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf