MITRE ATT&CK T1495: Firmware Corruption

Last reviewed: · Reviewed by the BRIGHTCYTE technical team

MITRE ATT&CK technique T1495, Firmware Corruption, describes adversaries overwriting or corrupting the firmware of system components such as the BIOS, UEFI, or device controllers. The goal may be to render a device inoperable, to disrupt operations, or to interfere with recovery. Because firmware sits below the operating system, corruption can persist through reinstallation and evade software-based checks.

Where It Sits in ATT&CK

T1495 is classified under the Impact tactic, which groups techniques that adversaries use to manipulate, interrupt, or destroy systems and data. Unlike techniques aimed purely at stealth, firmware corruption is often about denying availability or complicating remediation.

Relation to Pre-OS Boot (T1542)

T1495 is closely related to T1542 (Pre-OS Boot), which covers techniques that abuse firmware and the boot process for persistence and defense evasion. Where T1542 emphasizes staying resident below the OS, T1495 emphasizes damaging or overwriting firmware. Both share the same challenging property: they operate at a layer that most security tooling was not designed to observe. See our BIOS/UEFI security page for related concepts.

How Corruption Attacks Work

To modify firmware, an adversary typically needs a path to write to firmware storage, for example by abusing update mechanisms, exploiting insufficient write protections, or leveraging privileged execution such as System Management Mode. Once write access is obtained, firmware can be overwritten with corrupted or malicious code. Publicly documented firmware-wiping tooling, such as the destructive components associated with Shamoon-related activity, illustrates the impact category, though the precise techniques vary by case and should not be generalized.

Detection and Mitigation Guidance

Firmware integrity is best addressed through resiliency principles. NIST SP 800-193 describes protection, detection, and recovery mechanisms for platform firmware, including cryptographic verification and the ability to restore firmware to a known good state. Strong update signing, hardware-based roots of trust, and monitored recovery paths all reduce exposure.

How BRIGHTCYTE Relates

BRIGHTCYTE does not scan or repair firmware and does not verify firmware images. Instead, it analyzes communication behavior with the assumption that a source may be operating below the operating system. If a compromised component communicates covertly, this behavior may indicate a problem and provides an additional signal that complements firmware resiliency measures. It does not by itself always identify the precise corrupted component, and detection is not guaranteed.

Frequently Asked Questions

What is MITRE ATT&CK T1495?
T1495 (Firmware Corruption) is an ATT&CK technique in the Impact tactic that describes adversaries overwriting or corrupting the firmware of system components to render devices inoperable or to disrupt operations.
How does T1495 relate to pre-OS boot techniques?
T1495 focuses on corruption for impact, while T1542 (Pre-OS Boot) covers abusing firmware and the boot process for persistence and defense evasion. Both operate below the operating system, which is why conventional endpoint tools may have limited visibility.
Does BRIGHTCYTE detect firmware corruption directly?
No. BRIGHTCYTE does not scan or repair firmware. It analyzes communication behavior and may indicate that a component is communicating covertly, providing an additional signal that is complementary to firmware integrity approaches such as those described in NIST SP 800-193.

Sources and Further Reading

Related Topics

Back to Home