Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0278: Detection Strategy for T1542 Pre-OS Boot

DET0278 is a detection-strategy object for ATT&CK technique T1542, Pre-OS Boot. The business significance is that this behavior sits below the operating sy...

EnterpriseDET0278Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0278 is a detection-strategy object for ATT&CK technique T1542, Pre-OS Boot. The business significance is that this behavior sits below the operating system: if adversaries alter boot drivers or firmware such as BIOS or UEFI, normal endpoint controls may have limited visibility until after the compromised boot chain has already executed. For leaders, the key question is not whether a single EDR alert exists, but whether the organization can validate boot integrity, investigate suspected firmware or boot persistence, and recover trusted systems across Windows, Linux, macOS, and network device environments where applicable.

Executive priority

Treat this as a resilience and assurance issue, not only a SOC alerting problem. Pre-OS Boot persistence can affect confidence in endpoint recovery, incident scoping, asset trust, and audit evidence for secure configuration and change control. Executives should ask which critical systems have measured or verified boot controls, who owns firmware and boot configuration governance, and whether incident response plans include procedures for rebuilding or replacing systems when trust in firmware or boot components is in question.

Technical view

The supplied ATT&CK object provides no official detection text and no platforms on the detection-strategy object itself; the relationship maps it to T1542 Pre-OS Boot, whose related platforms are Linux, macOS, Network Devices, and Windows, and whose tactics are persistence and stealth. SOC, detection engineering, and IR teams should validate visibility around boot-chain integrity, firmware or BIOS/UEFI configuration changes, boot driver changes, secure boot state, and asset baselines. Because this behavior occurs before the operating system fully loads, endpoint-only telemetry may be insufficient; coverage should be tested against local hardware, firmware management, OS, and network device evidence sources.

Likely telemetry

  • Firmware, BIOS, or UEFI configuration and version inventory
  • Secure Boot or measured boot status where available
  • Bootloader and boot driver file integrity or configuration records
  • Endpoint asset inventory tied to firmware and hardware identifiers
  • Operating system event logs related to boot configuration or boot integrity where available

Detection direction

  • Map DET0278 coverage to T1542 rather than assuming the detection-strategy object contains complete analytic logic; the official detection field is not provided.
  • Validate whether telemetry is collected before, during, and after boot, and identify where endpoint agents only begin observing after the relevant activity may have occurred.
  • Tune for unauthorized or unexpected changes to firmware versions, boot configuration, boot drivers, secure boot state, or network device startup firmware/configuration, using approved maintenance windows as a major false-positive reducer.
  • Compare current boot and firmware state against known-good baselines for high-value systems; absence of a baseline is a material blind spot.
  • Correlate suspected boot-level changes with persistence and stealth investigation workflows, because the related ATT&CK technique is explicitly associated with those tactics.

Mitigation priorities

  • Prioritize inventory: identify systems and network devices where firmware, boot configuration, and secure boot or equivalent state can be measured and reported.
  • Establish trusted baselines for critical assets, including firmware versions, boot configuration, and approved startup components.
  • Strengthen change control for BIOS/UEFI, bootloader, boot driver, and network device firmware changes, with evidence retained for audit and incident review.
  • Include boot and firmware integrity checks in incident response playbooks for persistence investigations, especially when normal OS-level remediation does not restore confidence.
  • Define recovery decision points for when reimaging is insufficient and hardware, firmware reflash, or vendor-assisted remediation may be required.
Analyst notes and limits

This take is based on the official DET0278 metadata and its relationship to T1542 Pre-OS Boot. The detection-strategy object has no official description, no official detection text, and no directly specified platforms or tactics. Decision value therefore comes from the relationship context: T1542 concerns adversary abuse of pre-operating-system boot mechanisms for persistence and stealth, including boot drivers or BIOS/UEFI firmware.

The supplied ATT&CK fields do not provide analytic logic, data components, mitigations, procedures, adversary use, or detection efficacy. Local validation is required to determine actual telemetry availability, control coverage, false-positive behavior, and incident response feasibility. No active exploitation, attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection Strategy for T1542 Pre-OS Boot

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1542 Pre-OS Boot This object detects Pre-OS Boot.
Relationship explorer

All related ATT&CK context

detects · Technique T1542: Pre-OS Boot Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d3c2b55011515d5a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d3c2b5501151…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0278
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use