T1601 Modify System Image Mappings

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1601 Modify System Image
CM-05 Access Restrictions for Change mitigates T1601 Modify System Image
IA-05 Authenticator Management mitigates T1601 Modify System Image
SA-10 Developer Configuration Management mitigates T1601 Modify System Image
IA-07 Cryptographic Module Authentication mitigates T1601 Modify System Image
RA-09 Criticality Analysis mitigates T1601 Modify System Image
SR-11 Component Authenticity mitigates T1601 Modify System Image
SR-04 Provenance mitigates T1601 Modify System Image
SR-05 Acquisition Strategies, Tools, and Methods mitigates T1601 Modify System Image
SC-34 Non-modifiable Executable Programs mitigates T1601 Modify System Image
SI-02 Flaw Remediation mitigates T1601 Modify System Image
CM-08 System Component Inventory mitigates T1601 Modify System Image
SI-07 Software, Firmware, and Information Integrity mitigates T1601 Modify System Image
CM-02 Baseline Configuration mitigates T1601 Modify System Image
CM-02 Baseline Configuration mitigates T1601 Modify System Image
SA-11 Developer Testing and Evaluation mitigates T1601 Modify System Image
IA-02 Identification and Authentication (Organizational Users) mitigates T1601 Modify System Image
CM-07 Least Functionality mitigates T1601 Modify System Image
SI-04 System Monitoring mitigates T1601 Modify System Image
AC-02 Account Management mitigates T1601 Modify System Image
AC-03 Access Enforcement mitigates T1601 Modify System Image
AC-04 Information Flow Enforcement mitigates T1601 Modify System Image
AC-05 Separation of Duties mitigates T1601 Modify System Image
AC-06 Least Privilege mitigates T1601 Modify System Image
CM-03 Configuration Change Control mitigates T1601 Modify System Image

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
attribute.integrity.variety.Software installation Software installation or code modification related-to T1601 Modify System Image

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
binary_authorization Binary Authorization technique_scores T1601 Modify System Image
Comments
Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1601.001 Patch System Image 27
T1601.002 Downgrade System Image 27