Description
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.
To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
Platforms
Sub-Techniques (2)
Mitigations (6)
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)
Password PoliciesM1027
Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)
Credential Access ProtectionM1043
Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)
Code SigningM1045
Many vendors provide digitally signed operating system images to validate the integrity of the software used on their platform. Make use of this feature where possible in order to prevent and/or detect attempts by adversaries to compromise the system image. (Citation: Cisco IOS Software Integrity Assurance - Deploy Signed IOS)
Boot IntegrityM1046
Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot)
Privileged Account ManagementM1026
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9013 | DRYHOOK | Malware | [DRYHOOK](https://attack.mitre.org/software/S9013) has modified the Ivanti Connect Secure VPN authentication Perl module `DSAuth.pm` by reading its co... |
Frequently Asked Questions
What is T1601 (Modify System Image)?
T1601 is a MITRE ATT&CK technique named 'Modify System Image'. It belongs to the Defense Impairment tactic(s). Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically m...
How can T1601 be detected?
Detection of T1601 (Modify System Image) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1601?
There are 6 documented mitigations for T1601. Key mitigations include: Multi-factor Authentication, Password Policies, Credential Access Protection, Code Signing, Boot Integrity.
Which threat groups use T1601?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.