T1601 Modify System Image

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1601 Modify System Image
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1601 Modify System Image
    Comments
    This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-09.01 Software and data integrity checking Mitigates T1601 Modify System Image
      Comments
      This diagnostic statement protects against Modify System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
      References
        DE.CM-09.03 Unauthorized software, hardware, or configuration changes Mitigates T1601 Modify System Image
        Comments
        This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
        References
          PR.AA-05.01 Access privilege limitation Mitigates T1601 Modify System Image
          Comments
          This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege
          References
            PR.PS-01.03 Configuration deviation Mitigates T1601 Modify System Image
            Comments
            This diagnostic statement provides protection from Modify System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image.
            References
              PR.PS-01.07 Cryptographic keys and certificates Mitigates T1601 Modify System Image
              Comments
              This diagnostic statement protects against Modify System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images.
              References
                PR.AA-03.01 Authentication requirements Mitigates T1601 Modify System Image
                Comments
                This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                References
                  EX.MM-01.01 Third-party monitoring and management resources Mitigates T1601 Modify System Image
                  Comments
                  This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1601 Modify System Image
                    Comments
                    This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References

                      NIST 800-53 Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      CM-06 Configuration Settings mitigates T1601 Modify System Image
                      CM-05 Access Restrictions for Change mitigates T1601 Modify System Image
                      IA-05 Authenticator Management mitigates T1601 Modify System Image
                      SA-10 Developer Configuration Management mitigates T1601 Modify System Image
                      IA-07 Cryptographic Module Authentication mitigates T1601 Modify System Image
                      RA-09 Criticality Analysis mitigates T1601 Modify System Image
                      SR-11 Component Authenticity mitigates T1601 Modify System Image
                      SR-04 Provenance mitigates T1601 Modify System Image
                      SR-05 Acquisition Strategies, Tools, and Methods mitigates T1601 Modify System Image
                      SC-34 Non-modifiable Executable Programs mitigates T1601 Modify System Image
                      SI-02 Flaw Remediation mitigates T1601 Modify System Image
                      CM-08 System Component Inventory mitigates T1601 Modify System Image
                      SI-07 Software, Firmware, and Information Integrity mitigates T1601 Modify System Image
                      CM-02 Baseline Configuration mitigates T1601 Modify System Image
                      CM-02 Baseline Configuration mitigates T1601 Modify System Image
                      SA-11 Developer Testing and Evaluation mitigates T1601 Modify System Image
                      IA-02 Identification and Authentication (Organizational Users) mitigates T1601 Modify System Image
                      CM-07 Least Functionality mitigates T1601 Modify System Image
                      SI-04 System Monitoring mitigates T1601 Modify System Image
                      AC-02 Account Management mitigates T1601 Modify System Image
                      AC-03 Access Enforcement mitigates T1601 Modify System Image
                      AC-04 Information Flow Enforcement mitigates T1601 Modify System Image
                      AC-05 Separation of Duties mitigates T1601 Modify System Image
                      AC-06 Least Privilege mitigates T1601 Modify System Image
                      CM-03 Configuration Change Control mitigates T1601 Modify System Image

                      VERIS Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601 Modify System Image
                      attribute.integrity.variety.Software installation Software installation or code modification related-to T1601 Modify System Image

                      GCP Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      binary_authorization Binary Authorization technique_scores T1601 Modify System Image
                      Comments
                      Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
                      References

                      ATT&CK Subtechniques

                      Technique ID Technique Name Number of Mappings
                      T1601.001 Patch System Image 35
                      T1601.002 Downgrade System Image 35