Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-02 | Account Management | Protects | T1601 | Modify System Image | |
AC-03 | Access Enforcement | Protects | T1601 | Modify System Image | |
AC-04 | Information Flow Enforcement | Protects | T1601 | Modify System Image | |
AC-05 | Separation of Duties | Protects | T1601 | Modify System Image | |
AC-06 | Least Privilege | Protects | T1601 | Modify System Image | |
CA-08 | Penetration Testing | Protects | T1601 | Modify System Image | |
CM-02 | Baseline Configuration | Protects | T1601 | Modify System Image | |
CM-03 | Configuration Change Control | Protects | T1601 | Modify System Image | |
CM-05 | Access Restrictions for Change | Protects | T1601 | Modify System Image | |
CM-06 | Configuration Settings | Protects | T1601 | Modify System Image |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1601.001 | Patch System Image | 26 |
T1601.002 | Downgrade System Image | 26 |