title: Component Firmware (T1542.002)
id: df00tech-t1542-002
status: experimental
description: "Adversaries may modify component firmware to persist on systems. Some adversaries employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware (T1542.001) but conducted upon other system components such as hard drives, network interface cards, and other peripheral devices that may not have the same level of integrity checking. Malicious component firmware provides persistent access that survives disk reimaging, OS reinstallation, and most host-based defenses. Notable examples include the Equation Group's capability to overwrite hard drive firmware across multiple manufacturers (Seagate, Western Digital, Toshiba) and Cyclops Blink's persistent firmware patching of WatchGuard network devices."
references:
  - https://attack.mitre.org/techniques/T1542/002/
  - https://df00tech.com/detections/T1542.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1542.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate firmware updates from hardware vendors pushed via enterprise management tools such as Dell Command Update, HP Client Management Script Library, or Lenovo System Update Service"
  - "IT administrators using hdparm or smartctl for read-only disk health diagnostics (hdparm -I, smartctl -a) — distinguish read versus write operations via command arguments"
  - Network administrators using ethtool for NIC diagnostics and authorized firmware updates on managed switches or HBAs during approved maintenance windows
  - "Automated OEM diagnostic agents that enumerate raw device paths for hardware inventory, health checks, or pre-boot environment reporting"
level: critical