title: Pre-OS Boot (T1542)
id: df00tech-t1542
status: experimental
description: "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. Sub-techniques include System Firmware modification (T1542.001), Component Firmware attacks targeting disk or network card firmware (T1542.002), Bootkit installation targeting the Master Boot Record or Volume Boot Record (T1542.003), ROMMONkit for Cisco network device persistence (T1542.004), and TFTP Boot abuse for network device re-imaging (T1542.005). Pre-OS implants are especially dangerous because they survive operating system reinstallation, are invisible to host-based security tools that load after the OS, and can persist through drive replacement if stored in device firmware rather than the disk itself."
references:
  - https://attack.mitre.org/techniques/T1542/
  - https://df00tech.com/detections/T1542
author: df00tech
date: 2026/04/20
tags:
  - attack.t1542
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "OEM firmware update utilities shipped with laptops (Dell Command Update, HP BIOS Update, Lenovo System Update) that run scheduled BIOS/UEFI updates — typically launched by svchost.exe or a vendor service parent"
  - "Dual-boot system configuration tools that modify BCD entries (EasyBCD, rEFInd installer, Ubuntu grub-install during OS installation)"
  - "Enterprise endpoint management during OS deployment — DISM, setup.exe, and MDT/SCCM task sequences legitimately write to EFI and Boot paths"
  - Security researchers and IT administrators running CHIPSEC or RWEverything for hardware auditing or vulnerability assessment with explicit authorization
  - "Backup software (Acronis True Image, Macrium Reflect) that access raw disk handles for sector-level backup of the MBR and system partition"
level: critical