Applied Cybernetics Group
T1601 — Modify System Image
coverage gap
- Technique
T1601- Tactics
- Defense Impairment
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 0
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1601
MITRE description
Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
No detection coverage exists for this technique — no SigmaHQ community rule carries its tag and thrunt has not authored one yet. Techniques on this list are exactly where hand-authoring effort goes next; see the rollup for the full queue.