title: System Firmware (T1542.001)
id: df00tech-t1542-001
status: experimental
description: "Adversaries may modify system firmware (BIOS or UEFI/EFI) to achieve persistent access that survives OS reinstallation and disk replacement. Because firmware executes before the operating system loads, malicious implants planted here are extremely difficult to detect and remove. Attackers typically require a vulnerable or attacker-supplied kernel-mode driver to gain ring-0 access to SPI flash memory before overwriting or patching the firmware image. Real-world examples include LoJax (Fancy Bear/APT28), which repurposed the legitimate LoJack anti-theft agent's UEFI module; Trojan.Mebromi, which modified the Award BIOS; and the Hacking Team UEFI Rootkit. Detection must focus on observable pre-conditions and side-effects: execution of firmware analysis and flashing utilities, loading of privileged hardware-access drivers, suspicious UEFI variable modification, and creation of raw firmware image files."
references:
  - https://attack.mitre.org/techniques/T1542/001/
  - https://df00tech.com/detections/T1542.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1542.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate BIOS updates applied by OEM vendor software (HP System Software Manager, Dell Command Update, Lenovo System Update) — these write .cap or .fd files and load vendor-signed flash drivers"
  - Security researchers or IT administrators running chipsec or RWEverything for firmware integrity auditing — typically executed from identified IT asset accounts on designated systems
  - Hardware diagnostics tools bundled with workstation imaging suites that load low-level I/O drivers during provisioning
  - "Firmware update components within enterprise software management agents (SCCM, BigFix) that temporarily install driver packages"
  - Virtualization platforms and hypervisors loading signed hardware-access drivers for device passthrough or UEFI emulation
level: critical