T1601: Modify System Image

Data from MITRE ATT&CK®:

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

Boot Integrity

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Password Policies

Set and enforce secure password policies for accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)