Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.[1] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.

ID: T1495
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, root
Impact Type: Availability
Version: 1.0
Created: 12 April 2019
Last Modified: 14 July 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
S0606 Bad Rabbit

Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[2]

S0266 TrickBot

TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[3]


ID Mitigation Description
M1046 Boot Integrity

Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification.

M1026 Privileged Account Management

Prevent adversary access to privileged accounts or access necessary to replace system firmware.

M1051 Update Software

Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.


ID Data Source Data Component
DS0001 Firmware Firmware Modification

System firmware manipulation may be detected.[4] Log attempts to read/write to BIOS and compare against known patching behavior.