"Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system." Adversaries can obtain it modifying or replacing components before the launch or updating them later if an update capability is implemented. Detection is very difficult, because defenses are usually working at higher levels.
Persistence at a pre-OS level can be gained modifying the firmware in a resource.System firmware is quite static, and it doesn't usually provide detection capabilities. A firmware level manipulation can remain unnoticed until next phases of the attack. [1]
| ID | Mitigation | Description |
|---|---|---|
| M1046 | Boot Integrity |