title: Firmware Corruption (T1495)
id: df00tech-t1495
status: experimental
description: "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. Real-world examples include TrickBot's 'Trickboot' module (2020), which can write or erase UEFI/BIOS firmware of a compromised device, and Bad Rabbit ransomware, which installed a modified bootloader to prevent normal boot-up. Firmware corruption often results in permanent hardware denial-of-availability and may be combined with data destruction for maximum impact."
references:
  - https://attack.mitre.org/techniques/T1495/
  - https://df00tech.com/detections/T1495
author: df00tech
date: 2026/04/13
tags:
  - attack.t1495
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate firmware updates performed by IT or hardware teams using vendor tools (Dell Command Update, HP BIOSConfigUtility, Lenovo Vantage, Intel ME FW Recovery Tool) during approved maintenance windows"
  - Security research or firmware auditing environments where CHIPSEC or RW-Everything are deployed for authorized vulnerability assessment or UEFI security analysis
  - "OEM factory imaging or provisioning systems that perform BIOS flashing as part of hardware configuration pipelines, typically under a service account from a management process"
  - "Automated asset management tools that invoke bcdedit to configure boot options during operating system deployment or repair workflows (e.g., WDS, MDT, SCCM OSD)"
level: high